Author: Giuseppe D'Angelo Date: To: pcre-dev CC: skunk Subject: Re: [pcre-dev] Serialization format versioning
On Wed, 27 Jun 2018 at 19:50, <ph10@???> wrote: > I don't think there's any guarantee of not crashing unless you can
> guarantee the data is not corrupted. For example, it contains lengths of
> patterns, and if these are overwritten, it might read past the end of
> the data. There are sanity checks on the magic number, etc. and there
> are some other checks within the code - for example if the purported
> size of a pattern is less than the minimum.
Thanks for the clarification.
Yes, the end user of the API is fully responsible for the data
integrity. What it's really important here is that it's always safe to
tell PCRE to deserialize patterns from data obtained through the PCRE
serialization functions, possibly coming from another OS / CPU / PCRE
version. (If PCRE deserialization reject to deserialize, that's safe
as well and fine by me). If PCRE can't guarantee this I can provide my
own protection, of course; but it would be silly to duplicate checks
which are already there.
This message was posted to the following mailing lists: