[Pcre-svn] [673] code/trunk: Fix oss-fuzz issue 781: read fr…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [673] code/trunk: Fix oss-fuzz issue 781: read from bad memory when fewer capturing parens than
Revision: 673
          http://www.exim.org/viewvc/pcre2?view=rev&revision=673
Author:   ph10
Date:     2017-03-10 15:53:49 +0000 (Fri, 10 Mar 2017)
Log Message:
-----------
Fix oss-fuzz issue 781: read from bad memory when fewer capturing parens than 
space in the external ovector.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_match.c


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2017-03-09 18:25:55 UTC (rev 672)
+++ code/trunk/ChangeLog    2017-03-10 15:53:49 UTC (rev 673)
@@ -14,10 +14,20 @@
 the old code had a number of fudges to try to reduce stack usage. It seems to 
 run no slower than the old code.


+A number of bugs in the refactored code were subsequently fixed during testing
+before release, but after the code was made available in the repository. Many
+of the bugs were discovered by fuzzing testing. These bugs were never in fully
+released code, but are noted here for the record.
+
+  (a) If a pattern had fewer capturing parentheses than the ovector supplied in 
+      the match data block, a memory error (detectable by ASAN) occurred after
+      a match, because the external block was being set from non-existent
+      internal ovector fields. Fixes oss-fuzz issue 781.
+
 2. Hardened pcre2test so as to reduce the number of bugs reported by fuzzers:


-   (a) Check for malloc failures when getting memory for the ovector (POSIX) or 
-       the match data block (non-POSIX). 
+  (a) Check for malloc failures when getting memory for the ovector (POSIX) or 
+      the match data block (non-POSIX).


3. In the 32-bit library in non-UTF mode, an attempt to find a Unicode property
for a character with a code point greater than 0x10ffff (the Unicode maximum) 

Modified: code/trunk/src/pcre2_match.c
===================================================================
--- code/trunk/src/pcre2_match.c    2017-03-09 18:25:55 UTC (rev 672)
+++ code/trunk/src/pcre2_match.c    2017-03-10 15:53:49 UTC (rev 673)
@@ -816,9 +816,11 @@


     ovector[0] = Fstart_match - mb->start_subject;
     ovector[1] = Feptr - mb->start_subject;
-    memcpy(ovector+2, Fovector, (oveccount - 1) * 2 * sizeof(PCRE2_SIZE));
-
+    
+    /* Set i to the smaller of the sizes of the external and frame ovectors. */
+    
     i = 2 * ((top_bracket + 1 > oveccount)? oveccount : top_bracket + 1);
+    memcpy(ovector + 2, Fovector, (i - 2) * sizeof(PCRE2_SIZE));
     while (--i >= Foffset_top + 2) ovector[i] = PCRE2_UNSET;
     return MATCH_MATCH;  /* Note: NOT RRETURN */


This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [672] code/trunk/maint/ManyConfigTests: Remove obsolete --disable-stack-for-recursion (no longer relevant) tests.[Pcre-svn] [674] code/trunk: Fix crash for pattern with very many captures.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)