[pcre-dev] [Bug 1744] New: Invalid memory accesses in pcre_…

https://bugs.exim.org/show_bug.cgi?id=1744

            Bug ID: 1744
           Summary: Invalid memory accesses in pcre_get_substring_list
                    (pcre_get.c)
           Product: PCRE
           Version: 8.38
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: thomas.lindroth@???
                CC: pcre-dev@???

Created attachment 853
--> https://bugs.exim.org/attachment.cgi?id=853&action=edit
input for pcretest

Fuzzing pcre-1 (8.39-RC1 svn r1617) with afl has turned up some invalid memory
accesses in pcre_get_substring_list (pcre_get.c)

This crash is difficult to reproduce. Even minor changes to the attached input
makes it none-reproducable.

valgrind pcretest pcre_get_substring_list_crash
==31466== Memcheck, a memory error detector
==31466== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31466== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31466== Command: pcretest pcre_get_substring_list_crash
==31466==
PCRE version 8.39-RC1 2015-11-23


/((K/noe
** Unknown modifier 'n'

/abz/6789Z
** Unknown modifier '6'

/(?<!a{655 5�)x/I
Capturing subpattern count = 0
Max lookbehind = 8
No options
First char = 'x'
No need char

/(?=a\K)/ 
\ d���NO_AUTO_POSrde=z
No match
D
No match
 B  
No match
/(?'abzdefghijklmn[�[x20 \ia0   �/\h/ L
Start of matched string is beyond its end - displaying from end to start.
 0: a
Captu99MMIT
Start of matched string is beyond its end - displaying from end to start.
 0: a
��*
   ring ��bpattingbobnd $ 1�,oern cou \r\Lb 
Start of matched string is beyond its end - displaying from end to start.
 0: a
==31466== Invalid write of size 2
==31466==    at 0x4C2DC23: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4E4A7FC: memcpy (string3.h:51)
==31466==    by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466==    by 0x404D06: main (pcretest.c:5446)
==31466==  Address 0x560ec70 is 0 bytes after a block of size 16 alloc'd
==31466==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x40769D: new_malloc (pcretest.c:2364)
==31466==    by 0x4E4A7BD: pcre_get_substring_list (pcre_get.c:462)
==31466==    by 0x404D06: main (pcretest.c:5446)
==31466== 
==31466== Invalid read of size 2
==31466==    at 0x4C2DC2F: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4E4A7FC: memcpy (string3.h:51)
==31466==    by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466==    by 0x404D06: main (pcretest.c:5446)
==31466==  Address 0x560ec20 is 0 bytes after a block of size 32,768 alloc'd
==31466==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4C2B35F: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x403665: main (pcretest.c:4585)
==31466== 
==31466== Invalid read of size 2
==31466==    at 0x4C2DC20: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4E4A7FC: memcpy (string3.h:51)
==31466==    by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466==    by 0x404D06: main (pcretest.c:5446)
==31466==  Address 0x560ec26 is 6 bytes after a block of size 32,768 alloc'd
==31466==    at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4C2B35F: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x403665: main (pcretest.c:4585)
==31466== 
==31466== 
==31466== Process terminating with default action of signal 11 (SIGSEGV)
==31466==  Access not within mapped region at address 0x59EE000
==31466==    at 0x4C2DC23: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466==    by 0x4E4A7FC: memcpy (string3.h:51)
==31466==    by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466==    by 0x404D06: main (pcretest.c:5446)
==31466==  If you believe this happened as a result of a stack
==31466==  overflow in your program's main thread (unlikely but
==31466==  possible), you can try to increase the size of the
==31466==  main thread stack using the --main-stacksize= flag.
==31466==  The main thread stack size used in this run was 8388608.
==31466== 
==31466== HEAP SUMMARY:
==31466==     in use at exit: 133,612 bytes in 7 blocks
==31466==   total heap usage: 8 allocs, 1 frees, 133,710 bytes allocated
==31466== 
==31466== LEAK SUMMARY:
==31466==    definitely lost: 0 bytes in 0 blocks
==31466==    indirectly lost: 0 bytes in 0 blocks
==31466==      possibly lost: 0 bytes in 0 blocks
==31466==    still reachable: 133,612 bytes in 7 blocks
==31466==         suppressed: 0 bytes in 0 blocks
==31466== Rerun with --leak-check=full to see details of leaked memory
==31466== 
==31466== For counts of detected and suppressed errors, rerun with: -v
==31466== ERROR SUMMARY: 6090045 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault

pcretest -C
PCRE version 8.39-RC1 2015-11-23
Compiled with
8-bit support
No UTF-8 support
No Unicode properties support
No just-in-time compiler support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Parentheses nest limit = 250
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack

--
You are receiving this mail because:
You are on the CC list for the bug.