[pcre-dev] [Bug 2510] New: NULL-pointer deref on match of J…

Pàgina inicial
Delete this message
Autor: admin
Data:  
A: pcre-dev
Assumpte: [pcre-dev] [Bug 2510] New: NULL-pointer deref on match of JIT-compiled regex
https://bugs.exim.org/show_bug.cgi?id=2510

            Bug ID: 2510
           Summary: NULL-pointer deref on match of JIT-compiled regex
           Product: PCRE
           Version: 10.34 (PCRE2)
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: mark@???
                CC: pcre-dev@???


Created attachment 1259
--> https://bugs.exim.org/attachment.cgi?id=1259&action=edit
Reproducer source file

It appears that the some combination of the THEN verb "(*THEN:" and a lookahead
"?=" (or "?<=") causes a NULL-pointer dereference later when the emitted JIT
code is executed. This bug was found with fuzzing, and I can't diagnose the
JIT code myself other than to say it's always the same instruction that
crashes: "cmp qword ptr [r15 + 8], rax" on x64.

I was able to minimize the crash to the following combination: pattern:
"(?=(*THEN: ))* |", string: " ", and have attached a reproducer source file.
Since it's a segfault in a JIT region the ASAN output and crash backtraces
aren't very useful. I can supply a dockerfile or other clarifying information
if needed, but there's nothing special about the build other than configuring
with --enable-jit.

--
You are receiving this mail because:
You are on the CC list for the bug.