https://bugs.exim.org/show_bug.cgi?id=1791
Bug ID: 1791
Summary: ZDI-CAN-3542: New Vulnerability Report
Product: PCRE
Version: N/A
Hardware: x86
OS: Windows
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: zdi-disclosures@???
CC: pcre-dev@???
Created attachment 865
-->
https://bugs.exim.org/attachment.cgi?id=865&action=edit
poc
ZDI-CAN-3542: PCRE Regular Expression Compilation Stack Buffer Overflow Remote
Code Execution Vulnerability
-- CVSS -----------------------------------------
5.1, AV:N/AC:H/Au:N/C:P/I:P/A:P
-- ABSTRACT -------------------------------------
HP's Zero Day Initiative has identified a vulnerability affecting the following
products:
PCRE PCRE
-- VULNERABILITY DETAILS ------------------------
Tested on Linux.
PCRE does not validate that handling the (*ACCEPT) verb will occur within the
bounds of the cworkspace stack buffer, leading to a stack buffer overflow.
```
$ php-5.6.17/sapi/cli/php test_case.php
================================================================
==97723==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd1d0fb050 at pc 0x4ff262 bp 0x7ffd1d0b3dd0 sp 0x7ffd1d0b3dc0
WRITE of size 1 at 0x7ffd1d0fb050 thread T0
#0 0x4ff261 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x4ff261)
#1 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#2 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#3 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#4 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#5 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#6 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#7 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#8 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#9 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#10 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#11 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#12 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#13 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#14 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#15 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#16 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#17 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#18 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#19 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#20 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#21 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#22 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#23 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#24 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#25 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#26 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#27 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#28 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#29 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#30 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#31 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#32 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#33 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#34 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#35 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#36 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#37 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#38 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#39 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#40 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#41 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#42 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#43 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#44 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#45 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#46 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#47 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#48 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#49 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#50 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#51 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#52 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#53 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#54 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#55 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#56 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#57 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#58 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#59 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#60 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#61 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#62 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#63 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#64 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#65 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#66 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#67 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#68 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#69 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#70 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#71 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#72 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#73 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#74 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#75 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#76 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#77 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#78 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#79 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#80 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#81 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#82 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#83 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#84 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#85 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#86 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#87 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#88 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#89 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#90 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#91 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#92 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#93 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#94 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#95 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#96 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#97 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#98 0x5051f1 in compile_branch (/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#99 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#100 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#101 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#102 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#103 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#104 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#105 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#106 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#107 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#108 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#109 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#110 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#111 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#112 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#113 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#114 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#115 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#116 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#117 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#118 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#119 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#120 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#121 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#122 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#123 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#124 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#125 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#126 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#127 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#128 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#129 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#130 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#131 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#132 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#133 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#134 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#135 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#136 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#137 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#138 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#139 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#140 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#141 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#142 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#143 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#144 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#145 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#146 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#147 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#148 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#149 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#150 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#151 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#152 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#153 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#154 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#155 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#156 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#157 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#158 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#159 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#160 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#161 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#162 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#163 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#164 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#165 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#166 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#167 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#168 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#169 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#170 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#171 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#172 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#173 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#174 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#175 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#176 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#177 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#178 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#179 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#180 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#181 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#182 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#183 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#184 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#185 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#186 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#187 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#188 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#189 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#190 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#191 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#192 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#193 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#194 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#195 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#196 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#197 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#198 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#199 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#200 0x5051f1 in compile_branch
(/home/zdi/php-5.6.17/sapi/cli/php+0x5051f1)
#201 0x5077e9 in compile_regex (/home/zdi/php-5.6.17/sapi/cli/php+0x5077e9)
#202 0x50bb5c in php_pcre_compile2
(/home/zdi/php-5.6.17/sapi/cli/php+0x50bb5c)
#203 0x50a143 in php_pcre_compile
(/home/zdi/php-5.6.17/sapi/cli/php+0x50a143)
#204 0x5c1dd8 in pcre_get_compiled_regex_cache
(/home/zdi/php-5.6.17/sapi/cli/php+0x5c1dd8)
#205 0x5c2bd0 in php_do_pcre_match
(/home/zdi/php-5.6.17/sapi/cli/php+0x5c2bd0)
#206 0x5c53c3 in zif_preg_match
(/home/zdi/php-5.6.17/sapi/cli/php+0x5c53c3)
#207 0xee5bd0 in zend_do_fcall_common_helper_SPEC
(/home/zdi/php-5.6.17/sapi/cli/php+0xee5bd0)
#208 0xeff289 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(/home/zdi/php-5.6.17/sapi/cli/php+0xeff289)
#209 0xee10b8 in execute_ex (/home/zdi/php-5.6.17/sapi/cli/php+0xee10b8)
#210 0xee2a60 in zend_execute (/home/zdi/php-5.6.17/sapi/cli/php+0xee2a60)
#211 0xe1606d in zend_execute_scripts
(/home/zdi/php-5.6.17/sapi/cli/php+0xe1606d)
#212 0xc9e2d8 in php_execute_script
(/home/zdi/php-5.6.17/sapi/cli/php+0xc9e2d8)
#213 0x118e8f2 in do_cli (/home/zdi/php-5.6.17/sapi/cli/php+0x118e8f2)
#214 0x1191572 in main (/home/zdi/php-5.6.17/sapi/cli/php+0x1191572)
#215 0x7f46a9719a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#216 0x421318 in _start (/home/zdi/php-5.6.17/sapi/cli/php+0x421318)
Address 0x7ffd1d0fb050 is located in stack of thread T0 at offset 5216 in frame
#0 0x50a155 in php_pcre_compile2
(/home/zdi/php-5.6.17/sapi/cli/php+0x50a155)
This frame has 11 object(s):
[32, 36) 'length'
[96, 100) 'firstcharflags'
[160, 164) 'reqcharflags'
[224, 228) 'firstchar'
[288, 292) 'reqchar'
[352, 356) 'errorcode'
[416, 424) 'code'
[480, 488) 'ptr'
[544, 736) 'compile_block'
[768, 1088) 'named_groups'
[1120, 5216) 'cworkspace' <== Memory access at offset 5216 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 compile_branch
Shadow bytes around the buggy address:
0x100023a175b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100023a175c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100023a175d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100023a175e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100023a175f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100023a17600: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
0x100023a17610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100023a17620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100023a17630: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
0x100023a17640: f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
0x100023a17650: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==97723==ABORTING
```
Also hits on PHP 7.0.2 as well as PCRE 8.38 and PCRE2 10.21
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Wei Lei Peng Haoxiang and Liu Yang of Nanyang Technological University
working with HP's Zero Day Initiative
-- FURTHER DETAILS ------------------------------
If supporting files were contained with this report they are provided within a
password protected ZIP file. The password is the ZDI candidate number in the
form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI
vulnerabilities within 120 days of the reported date. If you are ready to
release a patch at any point leading up the the deadline please coordinate with
us so that we may release our advisory detailing the issue. If the 120 day
deadline is reached and no patch has been made available we will release a
limited public advisory with our own mitigations so that the public can protect
themselves in the absence of a patch. Please keep us updated regarding the
status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@???
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI ---------------------
Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day
Initiative (ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
The ZDI is unique in how the acquired vulnerability information is used. The
ZDI does not re-sell the vulnerability details or any exploit code. Instead,
upon notifying the affected product vendor, the ZDI provides its HP
TippingPoint customers with zero day protection through its intrusion
prevention technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor patch is
publicly available.
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--
You are receiving this mail because:
You are on the CC list for the bug.