[pcre-dev] [Bug 1783] New: An issue exists in the callout fu…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 1783] An issue exists in the callout function of PCRE that leads to heap-buffer-overflow when strlen() inside pchars(pcre_uint8 *p, int length, FILE *f) calculates length and it rea, [pcre-dev] [Bug 1783] An issue exists in the callout function of PCRE that leads to heap-buffer-overflow when strlen() inside pchars(pcre_uint8 *p, int length, FILE *f) calculates length and it rea, [pcre-dev] [Bug 1783] An issue exists in the callout function of PCRE that leads to heap-buffer-overflow when strlen() inside pchars(pcre_uint8 *p, int length, FILE *f) calculates length and it rea
Subject: [pcre-dev] [Bug 1783] New: An issue exists in the callout function of PCRE that leads to heap-buffer-overflow when strlen() inside pchars(pcre_uint8 *p, int length, FILE *f) calculates length and i
https://bugs.exim.org/show_bug.cgi?id=1783

            Bug ID: 1783
           Summary: An issue exists in the callout function of PCRE that
                    leads to heap-buffer-overflow when strlen() inside
                    pchars(pcre_uint8 *p, int length, FILE *f) calculates
                    length and it reads out of memory.
           Product: PCRE
           Version: 8.38
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: kennyshallnotdie@???
                CC: pcre-dev@???


Created attachment 862
--> https://bugs.exim.org/attachment.cgi?id=862&action=edit
ASAN report

An example regex simplest testcase that will crash in an ASAN build of PCRE is
the following:
/(?<=((?C)0))/

We can then emit the following bytecode:
------------------------------------------------------------------
  0  28 Bra
  3  22 AssertB
  6   1 Reverse
  9  13 CBra 1
 14     Callout 0 9 1
 20     0
 22  13 Ket
 25  22 Ket
 28  28 Ket
 31     End
------------------------------------------------------------------


When this is executed, we reached the following code:
------------------------------------------------------------------
//starts from pcretest:2024
if (length < 0)
length = strlen((char *)p); //points to a byte string,

while (length-- > 0)
{
-------------------------------------------------------------------

In this testcase, the letter '0' is treated as the value of length variable in
pchars(pcre_uint8 *p, int length, FILE *f), which is 0x1. So when the input
data length equal or larger than one, the length will be reduced below
zero(0xffffffff) and call strlen() function. Then it reads out of the memory.

The regex can be changed to other form like /(?<=((?C)000))/. If the input data
is a string contains '0' equal or more than 0x03, then the crash will also be
found by ASAN.

--
You are receiving this mail because:
You are on the CC list for the bug.