[pcre-dev] [Bug 1738] New: heap-buffer-overflow in compile_b…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1738] New: heap-buffer-overflow in compile_branch pcre2_compile.c:6412 and pcre2_compile.c:6579
https://bugs.exim.org/show_bug.cgi?id=1738

            Bug ID: 1738
           Summary: heap-buffer-overflow in compile_branch
                    pcre2_compile.c:6412 and pcre2_compile.c:6579
           Product: PCRE
           Version: N/A
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: kcc@???
                CC: pcre-dev@???


Found with libFuzzer+AddressSanitizer on fresh trunk
The target function is the same as in bug 1724
(with PCRE2_NO_UTF_CHECK masked out)

Two slightly different reports:

==25200==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60700000d656 at pc 0x000000527e51 bp 0x7fffb1bacaf0 sp 0x7fffb1bacae8
READ of size 1 at 0x60700000d656 thread T0
    #0 0x527e50 in compile_branch pcre2_compile.c:6579:16
    #1 0x4fdc04 in compile_regex pcre2_compile.c:7614:8
    #2 0x4f7c0b in pcre2_compile_8 pcre2_compile.c:8584:7
    #3 0x4de4fc in LLVMFuzzerTestOneInput 


Input:
0x8a,0x2b,0x66,0x7c,0x3b,0x54,0x3f,0x28,0x2a,0x3a,0x3b,0x2e,0x27,0x3f,0x60,0x28,0xea,0x70,0x20,0x29,0x7b,0x21,0x5b,0x5e,0x28,0x29,0x5c,0x68,0x21,0x79,0x2a,0x27,0x27,0x43,0x2a,0x28,0x3f,0x27,0x3b,0x5d,0x7b,0x31,0x3b,0x28,0x8,



==24455==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60800000bef7 at pc 0x000000527f38 bp 0x7ffe42376b50 sp 0x7ffe42376b48
READ of size 1 at 0x60800000bef7 thread T0
    #0 0x527f37 in compile_branch pcre2_compile.c:6412:18
    #1 0x4fdc04 in compile_regex pcre2_compile.c:7614:8
    #2 0x4f7c0b in pcre2_compile_8 pcre2_compile.c:8584:7
    #3 0x4de4fc in LLVMFuzzerTestOneInput



Input:
0x28,0x3f,0x3c,0x21,0x47,0x27,0x4d,0x72,0x28,0x3d,0x29,0x28,0x2a,0x3a,0x54,0x28,0x2a,0x25,0x28,0x28,0xc,0xba,0x21,0xa9,0x2d,0x3b,0x47,0xd,0x29,0x27,0x7a,0x5b,0x3a,0x27,0x27,0x28,0x5e,0x68,0x28,0x29,0x28,0x3f,0x3c,0x5d,0x3d,

--
You are receiving this mail because:
You are on the CC list for the bug.