https://bugs.exim.org/show_bug.cgi?id=2337
Bug ID: 2337
Summary: possible integer overflow in function find_minlength
in pcre_study.c
Product: PCRE
Version: 8.42
Hardware: x86
OS: Windows
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: yangx92@???
CC: pcre-dev@???
Hi,
There is a possible integer overflow in function find_minlength in pcre_study.c
static int
find_minlength(const REAL_PCRE *re, const pcre_uchar *code,
const pcre_uchar *startcode, int options, recurse_check *recurses,
int *countptr)
{
int length = -1;
/* PCRE_UTF16 has the same value as PCRE_UTF8. */
BOOL utf = (options & PCRE_UTF8) != 0;
BOOL had_recurse = FALSE;
recurse_check this_recurse;
register int branchlength = 0;
register pcre_uchar *cc = (pcre_uchar *)code + 1 + LINK_SIZE;
if ((*countptr)++ > 1000) return -1; /* too complex */
if (*code == OP_CBRA || *code == OP_SCBRA ||
*code == OP_CBRAPOS || *code == OP_SCBRAPOS) cc += IMM2_SIZE;
/* Scan along the opcodes for this branch. If we get to the end of the
branch, check the length against that of the other branches. */
for (;;)
{
int d, min;
pcre_uchar *cs, *ce;
register pcre_uchar op = *cc;
switch (op)
{
...
case OP_ONCE_NC:
d = find_minlength(re, cc, startcode, options, recurses, countptr);
if (d < 0) return d;
branchlength += d;
Actually this possible integer overflow is very similar to issue in pcre2 which
was fixed in
https://vcs.pcre.org/pcre2?view=revision&revision=385.
The patch for that issue is
https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_study.c?r1=385&r2=384&pathrev=385.
I think there is a similar issue in find_minlength in pcre.
Young
--
You are receiving this mail because:
You are on the CC list for the bug.
