https://bugs.exim.org/show_bug.cgi?id=1742
Bug ID: 1742
Summary: Invalid memory accesses in compile_regex
(pcre_compile.c)
Product: PCRE
Version: 8.38
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: thomas.lindroth@???
CC: pcre-dev@???
Fuzzing pcre-1 (8.39-RC1 svn r1617) with afl has turned up some invalid memory
accesses in compile_regex (pcre_compile.c)
This could be a duplicate of bug 1738 but it's marked as fixed.
pattern: /()(((())))(?J)(?'R'(?'R'()(?|((?|()(\k'R')|((?'R'))))|(?'R'))))00/
valgrind pcretest
==31199== Memcheck, a memory error detector
==31199== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31199== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31199== Command: pcretest
==31199==
PCRE version 8.39-RC1 2015-11-23
re> /()(((())))(?J)(?'R'(?'R'()(?|((?|()(\k'R')|((?'R'))))|(?'R'))))00/
==31199== Invalid write of size 1
==31199== at 0x4E38D8C: compile_branch (pcre_compile.c:8130)
==31199== by 0x4E38D8C: compile_regex (pcre_compile.c:8330)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606955 is 1 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid write of size 1
==31199== at 0x4E38DA6: compile_branch (pcre_compile.c:8129)
==31199== by 0x4E38DA6: compile_regex (pcre_compile.c:8330)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606954 is 0 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid read of size 1
==31199== at 0x4E38DF7: compile_branch (pcre_compile.c:8177)
==31199== by 0x4E38DF7: compile_regex (pcre_compile.c:8330)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606955 is 1 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid write of size 1
==31199== at 0x4E3C4A3: compile_regex (pcre_compile.c:8460)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606956 is 2 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid write of size 1
==31199== at 0x4E3C4AD: compile_regex (pcre_compile.c:8461)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606958 is 4 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid write of size 1
==31199== at 0x4E3C4B6: compile_regex (pcre_compile.c:8461)
==31199== by 0x4E3E477: pcre_compile2 (pcre_compile.c:9409)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606957 is 3 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
==31199== Invalid write of size 1
==31199== at 0x4E3E506: pcre_compile2 (pcre_compile.c:9429)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199== Address 0x5606959 is 5 bytes after a block of size 244 alloc'd
==31199== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31199== by 0x40769D: new_malloc (pcretest.c:2364)
==31199== by 0x4E3E0E7: pcre_compile2 (pcre_compile.c:9332)
==31199== by 0x4032C5: main (pcretest.c:4026)
==31199==
Failed: internal error: code overflow at offset 65
re>
pcretest -C
PCRE version 8.39-RC1 2015-11-23
Compiled with
8-bit support
No UTF-8 support
No Unicode properties support
No just-in-time compiler support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Parentheses nest limit = 250
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack
--
You are receiving this mail because:
You are on the CC list for the bug.