https://bugs.exim.org/show_bug.cgi?id=1783
Bug ID: 1783
Summary: An issue exists in the callout function of PCRE that
leads to heap-buffer-overflow when strlen() inside
pchars(pcre_uint8 *p, int length, FILE *f) calculates
length and it reads out of memory.
Product: PCRE
Version: 8.38
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: kennyshallnotdie@???
CC: pcre-dev@???
Created attachment 862
-->
https://bugs.exim.org/attachment.cgi?id=862&action=edit
ASAN report
An example regex simplest testcase that will crash in an ASAN build of PCRE is
the following:
/(?<=((?C)0))/
We can then emit the following bytecode:
------------------------------------------------------------------
0 28 Bra
3 22 AssertB
6 1 Reverse
9 13 CBra 1
14 Callout 0 9 1
20 0
22 13 Ket
25 22 Ket
28 28 Ket
31 End
------------------------------------------------------------------
When this is executed, we reached the following code:
------------------------------------------------------------------
//starts from pcretest:2024
if (length < 0)
length = strlen((char *)p); //points to a byte string,
while (length-- > 0)
{
-------------------------------------------------------------------
In this testcase, the letter '0' is treated as the value of length variable in
pchars(pcre_uint8 *p, int length, FILE *f), which is 0x1. So when the input
data length equal or larger than one, the length will be reduced below
zero(0xffffffff) and call strlen() function. Then it reads out of the memory.
The regex can be changed to other form like /(?<=((?C)000))/. If the input data
is a string contains '0' equal or more than 0x03, then the crash will also be
found by ASAN.
--
You are receiving this mail because:
You are on the CC list for the bug.