[pcre-dev] [Bug 2337] New: possible integer overflow in func…

Αρχική Σελίδα
Delete this message
Συντάκτης: admin
Ημερομηνία:  
Προς: pcre-dev
Αντικείμενο: [pcre-dev] [Bug 2337] New: possible integer overflow in function find_minlength in pcre_study.c
https://bugs.exim.org/show_bug.cgi?id=2337

            Bug ID: 2337
           Summary: possible integer overflow in function find_minlength
                    in pcre_study.c
           Product: PCRE
           Version: 8.42
          Hardware: x86
                OS: Windows
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: yangx92@???
                CC: pcre-dev@???


Hi,

There is a possible integer overflow in function find_minlength in pcre_study.c

static int
find_minlength(const REAL_PCRE *re, const pcre_uchar *code,
const pcre_uchar *startcode, int options, recurse_check *recurses,
int *countptr)
{
int length = -1;
/* PCRE_UTF16 has the same value as PCRE_UTF8. */
BOOL utf = (options & PCRE_UTF8) != 0;
BOOL had_recurse = FALSE;
recurse_check this_recurse;
register int branchlength = 0;
register pcre_uchar *cc = (pcre_uchar *)code + 1 + LINK_SIZE;

if ((*countptr)++ > 1000) return -1; /* too complex */

if (*code == OP_CBRA || *code == OP_SCBRA ||
    *code == OP_CBRAPOS || *code == OP_SCBRAPOS) cc += IMM2_SIZE;


/* Scan along the opcodes for this branch. If we get to the end of the
branch, check the length against that of the other branches. */

for (;;)
{
int d, min;
pcre_uchar *cs, *ce;
register pcre_uchar op = *cc;

  switch (op)
    {
...
    case OP_ONCE_NC:
    d = find_minlength(re, cc, startcode, options, recurses, countptr);
    if (d < 0) return d;
    branchlength += d;



Actually this possible integer overflow is very similar to issue in pcre2 which
was fixed in https://vcs.pcre.org/pcre2?view=revision&revision=385.
The patch for that issue is
https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_study.c?r1=385&r2=384&pathrev=385.

I think there is a similar issue in find_minlength in pcre.

Young

--
You are receiving this mail because:
You are on the CC list for the bug.