https://bugs.exim.org/show_bug.cgi?id=1889
Bug ID: 1889
Summary: PCRE2 Heap Overflow Vulnerability
Product: PCRE
Version: 10.22 (PCRE2)
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: fumfi.255@???
CC: pcre-dev@???
Created attachment 922
-->
https://bugs.exim.org/attachment.cgi?id=922&action=edit
POC to trigger buffer overflow (pcre2test)
PCRE2 library is prone to a vulnerability which leads to Heap Overflow.
Affected:
- PCRE2 version 10.23-RC1 2016-08-01 (cloned from SVN today)
- PCRE2 version 10.22 2016-07-29
- Other applications may also be affected
To reproduce the problem (pcre2test):
pcre2test bufover_1_min /dev/null
Valgrind output:
==11068== Memcheck, a memory error detector
==11068== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11068== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11068== Command: pcre2test /root/buffover_1_min /dev/null
==11068==
**11068** *** memcpy_chk: buffer overflow detected ***: program terminated
==11068== at 0x4C3085C: ??? (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11068== by 0x4C3544A: __memcpy_chk (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11068== by 0x4E42861: memcpy (string3.h:53)
==11068== by 0x4E42861: compile_branch (pcre2_compile.c:5232)
==11068== by 0x4E42861: compile_regex (pcre2_compile.c:7708)
==11068== by 0x4E46D66: pcre2_compile_8 (pcre2_compile.c:8678)
==11068== by 0x409F96: process_pattern (pcre2test.c:4996)
==11068== by 0x409F96: main (pcre2test.c:7665)
==11068==
==11068== HEAP SUMMARY:
==11068== in use at exit: 101,840 bytes in 11 blocks
==11068== total heap usage: 13 allocs, 2 frees, 110,032 bytes allocated
==11068==
==11068== LEAK SUMMARY:
==11068== definitely lost: 0 bytes in 0 blocks
==11068== indirectly lost: 0 bytes in 0 blocks
==11068== possibly lost: 0 bytes in 0 blocks
==11068== still reachable: 101,840 bytes in 11 blocks
==11068== suppressed: 0 bytes in 0 blocks
==11068== Rerun with --leak-check=full to see details of leaked memory
==11068==
==11068== For counts of detected and suppressed errors, rerun with: -v
==11068== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Regards,
Kamil Frankowicz
--
You are receiving this mail because:
You are on the CC list for the bug.