[pcre-dev] [Bug 1738] heap-buffer-overflow in compile_branch…

Top Page
This message is part of the following thread:
M+++\the complete thread tree sorted by date
MMMMMadmin at <-
admin at ->
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1738] heap-buffer-overflow in compile_branch pcre2_compile.c:6412 and pcre2_compile.c:6579
https://bugs.exim.org/show_bug.cgi?id=1738

--- Comment #2 from Kostya Serebryany <kcc@???> ---
With fresh trunk I still see two crashes: 

    #0 0x5298b7 in compile_branch pcre2_compile.c:6417
and 
    #0 0x501dd2 in compile_regex pcre2_compile.c:7752:5


Some of the inputs:
0x28,0x38,0x28,0x2a,0x3a,0x36,0x5e,0x9,0x78,0xa6,0x6c,0x5c,0x29,0x36,0x21,0x7c,0xd0,0x3a,0x5b,0x5e,0x3a,0x7c,0x29,0x9,0x64,0x5c,0x5a,0x5c,0x64,0x7b,0x38,0x35,0x2a,0x6d,0x28,0x3f,0x27,0x28,0x3f,0x3c,0x31,0x21,0x29,0x2a,0x5c,0x57,0x5b,0x2a,0xff,0x5d,0x21,0x21,0x68,0x5c,0x77,0x5d,0x2a,0xbe,0x3b,

0x28,0x3f,0x3c,0x21,0xff,0x28,0x18,0x28,0x2a,0x3a,0x4e,0xd,0x34,0x2e,0x20,0x18,0x3c,0x2c,0x99,0x2b,0x5c,0xfc,0x57,0x3c,0x3b,0xa8,0x3a,0x31,0x3c,0xdc,0x5c,0x51,0xe4,0x4e,0x29,0x28,0x7c,0x7c,0x29,0x23,0x3d,0x29,0x1e,0x3c,0x1f,0x38,0x28,0x5c,0x45,0x29,0x76,0x3f,0x7c,0x21,0x5b,0x5e,0xdb,0x5d,0x28,0x3f,0x27,0x75,

0x3b,0x28,0x3f,0x3c,0x21,0xb9,0x2e,0x2e,0x68,0x9,0x54,0x27,0x28,0x2a,0x3a,0x5b,0x5c,0x29,0xb9,0xdc,0x6d,0x2d,0x53,0x54,0x11,0x5b,0x5e,0x29,0x72,0x8a,0x7b,0x32,0x7d,0x2c,0x30,0x6,0x2d,0x5e,0x21,0x28,0x3f,0x27,0x4,0x28,0x3f,0x5d,0x3c,0x21,0x28,0x29,0xdb,0xbc,0x44,0xaa,0x5c,0x76,0x48,0x2d,

0x3b,0xf3,0x2e,0x81,0x28,0x2a,0x3a,0xa,0x3b,0x65,0x2a,0x56,0x63,0x21,0x2e,0xd9,0x5c,0x51,0x21,0x23,0x21,0x72,0x29,0xca,0x53,0x5b,0x2a,0x28,0x2a,0x66,0x9f,0xba,0x5f,0x2e,0x2d,0xd9,0x5c,0x45,0x3f,0x8a,0x29,0x28,0x3f,0x50,0x3c,0x21,0xc0,0x5e,0x99,0x21,0x3b,0x5c,0xa9,0xcb,0x5b,0x5d,0x28,0x29,0x27,0x6f,0x7b,0x18,

0x5c,0x53,0x3b,0x2e,0x76,0x8,0x71,0x28,0x2a,0x3a,0x21,0x57,0x23,0x3b,0x74,0x3f,0x28,0x3f,0x3c,0x21,0x7b,0xe9,0x83,0xad,0x3a,0x33,0x1,0x5c,0x21,0x29,0x3a,0x5c,0x51,0x2a,0x1f,0x28,0x21,0x6f,0x43,0x3a,0x24,0x3b,0x2a,0x1f,0x3b,0x3f,0x3b,0x28,0x3b,0x5c,0xa,0x2a,0x29,0x21,0x35,0x74,0x3f,0x28,0x3f,0x3c,0xb,0x21,

0x9,0x28,0x3f,0x73,0x2d,0x2d,0x78,0x29,0x29,

0xb,0x28,0x3f,0x2d,0x78,0x29,0x3a,




The exact target function:
#define PCRE2_CODE_UNIT_WIDTH 8
#include <stddef.h>
#include <string>
#include "pcre2posix.h"
#include "pcre2.h"

using std::string;
extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size < 1) return 0;
regex_t preg;
string str(reinterpret_cast<const char *>(data), size);
string pat(str);
PCRE2_SIZE erroffset;
int errorcode; 

  int options = 0;
  for (size_t i = 0; i < 30 && i < size; i++)
    options = (options << 1) ^ data[i];
  options &= ~PCRE2_NO_UTF_CHECK;
  if (pcre2_code *x = pcre2_compile((const unsigned char *)pat.c_str(),
                                    PCRE2_ZERO_TERMINATED, options, &errorcode,
                                    &erroffset, NULL)) {
    pcre2_code_free(x);
  }


return 0;
}

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 1738] heap-buffer-overflow in compile_branch pcre2_compile.c:6412 and pcre2_compile.c:6579[pcre-dev] [Bug 1736] heap-buffer-overflow in compile_regex pcre2_compile.c:7729->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)