https://bugs.exim.org/show_bug.cgi?id=1724
Bug ID: 1724
Summary: heap-buffer-overflow in compile_branch
src/pcre2_compile.c:5534
Product: PCRE
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: kcc@???
CC: pcre-dev@???
Found with libFuzzer+AddressSanitizer on fresh trunk
==36415==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d0000129ab at pc 0x000000528209 bp 0x7ffe18380d10 sp 0x7ffe18380d08
READ of size 1 at 0x61d0000129ab thread T0
#0 0x528208 in compile_branch src/pcre2_compile.c:5534:14
#1 0x4fcfb4 in compile_regex src/pcre2_compile.c:7594:8
#2 0x4f7f0a in pcre2_compile_8 src/pcre2_compile.c:8677:7
#3 0x4dda1e in LLVMFuzzerTestOneInput
0x61d0000129ab is located 85 bytes to the left of 191-byte region
[0x61d000012a00,0x61d000012abf)
allocated by thread T0 here:
#0 0x4b234b in malloc
#1 0x4f7201 in pcre2_compile_8 src/pcre2_compile.c:8583:3
#2 0x4dda1e in LLVMFuzzerTestOneInput
The following target function was used:
extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size < 1) return 0;
regex_t preg;
string str(reinterpret_cast<const char*>(data), size);
string pat(str);
PCRE2_SIZE erroffset;
int errorcode;
int options = 0;
for (size_t i = 0; i < 30 && i < size; i++)
options = (options << 1) ^ data[i];
if (pcre2_code *x = pcre2_compile((const unsigned char *)pat.c_str(),
PCRE2_ZERO_TERMINATED, options, &errorcode,
&erroffset, NULL)) {
pcre2_code_free(x);
}
return 0;
}
Input:
0xf2,0x28,0x25,0x2a,0x29,0x5c,0x45,0x2b,0x5c,0x78
Note: this is using the full pcre2_compile interface instead of the
posix "regcomp" interface that has been fuzzed extensively in the recent
months.
The "options" are extracted from 'data' in a more or less random way.
--
You are receiving this mail because:
You are on the CC list for the bug.
