[pcre-dev] [Bug 2780] New: read_capture_name8(pcretest.c:216…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 2780] New: read_capture_name8(pcretest.c:2162) in PCRE8.45 can produce stack-buffer-overflow.
https://bugs.exim.org/show_bug.cgi?id=2780

            Bug ID: 2780
           Summary: read_capture_name8(pcretest.c:2162) in PCRE8.45 can
                    produce stack-buffer-overflow.
           Product: PCRE
           Version: 8.45
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: Philip.Hazel@???
          Reporter: 670605832@???
                CC: pcre-dev@???


==41410==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdb1056860 at pc 0x00000052c918 bp 0x7ffdb1055710 sp 0x7ffdb1055708
WRITE of size 1 at 0x7ffdb1056860 thread T0
    #0 0x52c917 in read_capture_name8 /pcre/pcretest.c:2162:28
    #1 0x51da79 in main /pcre/pcretest.c:4742:11
    #2 0x7f053d55a82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x419c88 in _start (/pcre/pcretest+0x419c88)


Address 0x7ffdb1056860 is located in stack of thread T0 at offset 4192 in frame
    #0 0x50b8df in main /pcre/pcretest.c:2987


  This frame has 48 object(s):
    [32, 56) 'lockout'
    [96, 4192) 'copynames' <== Memory access at offset 4192 overflows this
variable
    [4320, 8416) 'getnames'
    [8544, 8552) 'cn8ptr'
    [8576, 8584) 'gn8ptr'
    [8608, 8616) 'endptr'
    [8640, 8656) 'rlim'
    [8672, 8676) 'rc137'
    [8688, 8696) 'lrc'
    [8720, 8728) 'arch'
    [8752, 8776) 'preg'
    [8816, 8824) 'error'
    [8848, 8856) 'markptr'
    [8880, 8888) 'get_options'
    [8912, 8920) 'size'
    [8944, 8948) 'erroroffset'
    [8960, 8968) 'sbuf'
    [8992, 8996) 'name_count'
    [9008, 9012) 'name_entry_size'
    [9024, 9032) 'jitsize'
    [9056, 9060) 'first_char'
    [9072, 9076) 'need_char'
    [9088, 9092) 'match_limit'
    [9104, 9108) 'recursion_limit'
    [9120, 9124) 'count'
    [9136, 9140) 'backrefmax'
    [9152, 9156) 'first_char_set'
    [9168, 9172) 'need_char_set'
    [9184, 9188) 'okpartial'
    [9200, 9204) 'jchanged'
    [9216, 9220) 'hascrorlf'
    [9232, 9236) 'maxlookbehind'
    [9248, 9252) 'match_empty'
    [9264, 9268) 'nameentrysize'
    [9280, 9284) 'namecount'
    [9296, 9304) 'nametable'
    [9328, 9336) 'start_bits'
    [9360, 9364) 'minlength'
    [9376, 9380) 'jit'
    [9392, 9400) 'sbuf1158'
    [9424, 9428) 'callout_data'
    [9440, 9444) 'count1219'
    [9456, 9712) 'copybuffer'
[9776, 10032) 'copybuffer1979'
    [10096, 10104) 'substring'
    [10128, 10136) 'substring2025'
    [10160, 10168) 'stringlist'
    [10192, 10196) 'd'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /pcre/pcretest.c:2162:28 in
read_capture_name8
Shadow bytes around the buggy address:
  0x100036202cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036202d00: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x100036202d10: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x100036202d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100036202d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==41410==ABORTING


--
You are receiving this mail because:
You are on the CC list for the bug.