https://bugs.exim.org/show_bug.cgi?id=2308
Bug ID: 2308
Summary: Possible uninitialized memory usage in
optimize_class_chars()
Product: PCRE
Version: 10.31 (PCRE2)
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: ppisar@???
CC: pcre-dev@???
optimize_class_chars() function in src/pcre2_jit_compile.c defines:
uint16_t char_list[MAX_CLASS_CHARS_SIZE];
then it sets some of its elements and finally checks the zeroth element with
(line 5907 in the latest SVN code):
if (char_list[0] == 0) {}
I'm unable to follow all the code paths that depend on the function arguments
but char_list[0] can be set only at two places and the first place depends on
char_list[k] value, that means there is only one place:
char_list[len++] = (uint16_t) c;
And this happens only if (0 == len == k) && (byte & 0x1) and byte is one of 32
bits[i]. So it depends on bits argument.
Are you sure this code is safe? Wouldn't make sense to initialize the three
bytes (MAX_CLASS_CHARS_SIZE) of the char_list array always?
--
You are receiving this mail because:
You are on the CC list for the bug.