https://bugs.exim.org/show_bug.cgi?id=1847
Bug ID: 1847
Summary: invalid read / possible negative array index in
pcre2test.c / extend_inputline()
Product: PCRE
Version: 10.21 (PCRE2)
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: hanno@???
CC: pcre-dev@???
Created attachment 894
-->
https://bugs.exim.org/attachment.cgi?id=894&action=edit
patch to fix potential negative index
There is this code in pcre2test.c:
if (here[dlen - 1] == '\n') return start; /* End of line reached */
This can lead to situations where here[dlen - 1] is invalid. To test one can
compile pcre2 (current svn code) with address sanitizer and run pcre2test on a
file with a single zero byte.
The solution is to add a check whether here+dlen is bigger than start. See
attached patch.
The address sanitizer error message:
==29365==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62f0000003ff at pc 0x408886 bp 0x7fff003d2ee0 sp 0x7fff003d2ed0
READ of size 1 at 0x62f0000003ff thread T0
#0 0x408885 in extend_inputline src/pcre2test.c:3019
#1 0x41a33b in main src/pcre2test.c:7432
#2 0x7ff84acd978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#3 0x402e28 in _start (/f/pcre/pcre2-svn/.libs/pcre2test+0x402e28)
0x62f0000003ff is located 1 bytes to the left of 50000-byte region
[0x62f000000400,0x62f00000c750)
allocated by thread T0 here:
#0 0x7ff84b576707 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57707)
#1 0x419263 in main src/pcre2test.c:7100
#2 0x7ff84acd978f in __libc_start_main (/lib64/libc.so.6+0x2078f)
--
You are receiving this mail because:
You are on the CC list for the bug.
