[pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit

Αρχική Σελίδα
Delete this message
Συντάκτης: admin
Ημερομηνία:  
Προς: pcre-dev
Αντικείμενο: [pcre-dev] [Bug 2320] Buffer Overflow in PCRE2 jit
https://bugs.exim.org/show_bug.cgi?id=2320

Petr Pisar <ppisar@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1125|0                           |1
        is obsolete|                            |


--- Comment #2 from Petr Pisar <ppisar@???> ---
Created attachment 1126
--> https://bugs.exim.org/attachment.cgi?id=1126&action=edit
Reduced test case

The input file can be reduced to:

$ hexdump -C /tmp/test 
00000000  2f 2c 7c 5c 58 7b 33 2c  33 7d 7c 2f 0a 2f 0d 5c  |/,|\X{3,3}|/./.\|
00000010  6e 0a                                             |n.|
00000012


and reproduced with PCRE2 10.32:

$ libtool --mode=execute valgrind ./pcre2test -8 -jit /tmp/test  
==23259== Memcheck, a memory error detector
==23259== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23259== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright
info
==23259== Command: /home/test/fedora/pcre2/pcre2-10.32/.libs/lt-pcre2test -8
-jit /tmp/test
==23259== 
PCRE2 version 10.32 2018-09-10
/,|\X{3,3}|/
\n
==23259== Invalid read of size 1
==23259==    at 0x48BBABE: do_extuni_no_utf (pcre2_jit_compile.c:7291)
==23259==    by 0x5036135: ???
==23259==    by 0x4C5AB8C: ???
==23259==  Address 0x4c5ab90 is 0 bytes after a block of size 16,384 alloc'd
==23259==    at 0x4838748: malloc (vg_replace_malloc.c:298)
==23259==    by 0x483AD63: realloc (vg_replace_malloc.c:826)
==23259==    by 0x11F8D9: process_data (pcre2test.c:6422)
==23259==    by 0x111D75: main (pcre2test.c:8655)
==23259== 
 0: ERROR: bad value(s) for offset(s): 0x0 0x4
==23259== 
==23259== HEAP SUMMARY:
==23259==     in use at exit: 0 bytes in 0 blocks
==23259==   total heap usage: 32 allocs, 32 frees, 148,230 bytes allocated
==23259== 
==23259== All heap blocks were freed -- no leaks are possible
==23259== 
==23259== For counts of detected and suppressed errors, rerun with: -v
==23259== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


--
You are receiving this mail because:
You are on the CC list for the bug.