https://bugs.exim.org/show_bug.cgi?id=1744
Bug ID: 1744
Summary: Invalid memory accesses in pcre_get_substring_list
(pcre_get.c)
Product: PCRE
Version: 8.38
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: thomas.lindroth@???
CC: pcre-dev@???
Created attachment 853
-->
https://bugs.exim.org/attachment.cgi?id=853&action=edit
input for pcretest
Fuzzing pcre-1 (8.39-RC1 svn r1617) with afl has turned up some invalid memory
accesses in pcre_get_substring_list (pcre_get.c)
This crash is difficult to reproduce. Even minor changes to the attached input
makes it none-reproducable.
valgrind pcretest pcre_get_substring_list_crash
==31466== Memcheck, a memory error detector
==31466== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31466== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31466== Command: pcretest pcre_get_substring_list_crash
==31466==
PCRE version 8.39-RC1 2015-11-23
/((K/noe
** Unknown modifier 'n'
/abz/6789Z
** Unknown modifier '6'
/(?<!a{655 5�)x/I
Capturing subpattern count = 0
Max lookbehind = 8
No options
First char = 'x'
No need char
/(?=a\K)/
\ d���NO_AUTO_POSrde=z
No match
D
No match
B
No match
/(?'abzdefghijklmn[�[x20 \ia0 �/\h/ L
Start of matched string is beyond its end - displaying from end to start.
0: a
Captu99MMIT
Start of matched string is beyond its end - displaying from end to start.
0: a
��*
ring ��bpattingbobnd $ 1�,oern cou \r\Lb
Start of matched string is beyond its end - displaying from end to start.
0: a
==31466== Invalid write of size 2
==31466== at 0x4C2DC23: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4E4A7FC: memcpy (string3.h:51)
==31466== by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466== by 0x404D06: main (pcretest.c:5446)
==31466== Address 0x560ec70 is 0 bytes after a block of size 16 alloc'd
==31466== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x40769D: new_malloc (pcretest.c:2364)
==31466== by 0x4E4A7BD: pcre_get_substring_list (pcre_get.c:462)
==31466== by 0x404D06: main (pcretest.c:5446)
==31466==
==31466== Invalid read of size 2
==31466== at 0x4C2DC2F: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4E4A7FC: memcpy (string3.h:51)
==31466== by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466== by 0x404D06: main (pcretest.c:5446)
==31466== Address 0x560ec20 is 0 bytes after a block of size 32,768 alloc'd
==31466== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4C2B35F: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x403665: main (pcretest.c:4585)
==31466==
==31466== Invalid read of size 2
==31466== at 0x4C2DC20: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4E4A7FC: memcpy (string3.h:51)
==31466== by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466== by 0x404D06: main (pcretest.c:5446)
==31466== Address 0x560ec26 is 6 bytes after a block of size 32,768 alloc'd
==31466== at 0x4C28FC0: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4C2B35F: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x403665: main (pcretest.c:4585)
==31466==
==31466==
==31466== Process terminating with default action of signal 11 (SIGSEGV)
==31466== Access not within mapped region at address 0x59EE000
==31466== at 0x4C2DC23: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31466== by 0x4E4A7FC: memcpy (string3.h:51)
==31466== by 0x4E4A7FC: pcre_get_substring_list (pcre_get.c:477)
==31466== by 0x404D06: main (pcretest.c:5446)
==31466== If you believe this happened as a result of a stack
==31466== overflow in your program's main thread (unlikely but
==31466== possible), you can try to increase the size of the
==31466== main thread stack using the --main-stacksize= flag.
==31466== The main thread stack size used in this run was 8388608.
==31466==
==31466== HEAP SUMMARY:
==31466== in use at exit: 133,612 bytes in 7 blocks
==31466== total heap usage: 8 allocs, 1 frees, 133,710 bytes allocated
==31466==
==31466== LEAK SUMMARY:
==31466== definitely lost: 0 bytes in 0 blocks
==31466== indirectly lost: 0 bytes in 0 blocks
==31466== possibly lost: 0 bytes in 0 blocks
==31466== still reachable: 133,612 bytes in 7 blocks
==31466== suppressed: 0 bytes in 0 blocks
==31466== Rerun with --leak-check=full to see details of leaked memory
==31466==
==31466== For counts of detected and suppressed errors, rerun with: -v
==31466== ERROR SUMMARY: 6090045 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault
pcretest -C
PCRE version 8.39-RC1 2015-11-23
Compiled with
8-bit support
No UTF-8 support
No Unicode properties support
No just-in-time compiler support
Newline sequence is LF
\R matches all Unicode newlines
Internal link size = 2
POSIX malloc threshold = 10
Parentheses nest limit = 250
Default match limit = 10000000
Default recursion depth limit = 10000000
Match recursion uses stack
--
You are receiving this mail because:
You are on the CC list for the bug.
