[pcre-dev] [Bug 1742] New: Invalid memory accesses in compil…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1742] New: Invalid memory accesses in compile_regex (pcre_compile.c)
https://bugs.exim.org/show_bug.cgi?id=1742

            Bug ID: 1742
           Summary: Invalid memory accesses in compile_regex
                    (pcre_compile.c)
           Product: PCRE
           Version: 8.38
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: thomas.lindroth@???
                CC: pcre-dev@???


Fuzzing pcre-1 (8.39-RC1 svn r1617) with afl has turned up some invalid memory
accesses in compile_regex (pcre_compile.c)

This could be a duplicate of bug 1738 but it's marked as fixed.

pattern: /()(((())))(?J)(?'R'(?'R'()(?|((?|()(\k'R')|((?'R'))))|(?'R'))))00/

valgrind pcretest
==31199== Memcheck, a memory error detector
==31199== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31199== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31199== Command: pcretest
==31199==
PCRE version 8.39-RC1 2015-11-23

re> /()(((())))(?J)(?'R'(?'R'()(?|((?|()(\k'R')|((?'R'))))|(?'R'))))00/

==31199== Invalid write of size 1
==31199==    at 0x4E38D8C: compile_branch (pcre_compile.c:8130)
==31199==    by 0x4E38D8C: compile_regex (pcre_compile.c:8330)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606955 is 1 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid write of size 1
==31199==    at 0x4E38DA6: compile_branch (pcre_compile.c:8129)
==31199==    by 0x4E38DA6: compile_regex (pcre_compile.c:8330)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606954 is 0 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid read of size 1
==31199==    at 0x4E38DF7: compile_branch (pcre_compile.c:8177)
==31199==    by 0x4E38DF7: compile_regex (pcre_compile.c:8330)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606955 is 1 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid write of size 1
==31199==    at 0x4E3C4A3: compile_regex (pcre_compile.c:8460)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606956 is 2 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid write of size 1
==31199==    at 0x4E3C4AD: compile_regex (pcre_compile.c:8461)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606958 is 4 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid write of size 1
==31199==    at 0x4E3C4B6: compile_regex (pcre_compile.c:8461)
==31199==    by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606957 is 3 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
==31199== Invalid write of size 1
==31199==    at 0x4E3E506: pcre_compile2 (pcre_compile.c:9429)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199==  Address 0x5606959 is 5 bytes after a block of size 244 alloc'd
==31199==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199==    by 0x40769D: new_malloc (pcretest.c:2364)
==31199==    by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199==    by 0x4032C5: main (pcretest.c:4026)
==31199== 
Failed: internal error: code overflow at offset 65
  re>


pcretest -C
PCRE version 8.39-RC1 2015-11-23
Compiled with
8-bit support
No UTF-8 support
No Unicode properties support
No just-in-time compiler support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Parentheses nest limit = 250
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack

--
You are receiving this mail because:
You are on the CC list for the bug.