https://bugs.exim.org/show_bug.cgi?id=2780
Bug ID: 2780
Summary: read_capture_name8ï¼pcretest.c:2162ï¼ in PCRE8.45 can
produce stack-buffer-overflow.
Product: PCRE
Version: 8.45
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: Philip.Hazel@???
Reporter: 670605832@???
CC: pcre-dev@???
==41410==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdb1056860 at pc 0x00000052c918 bp 0x7ffdb1055710 sp 0x7ffdb1055708
WRITE of size 1 at 0x7ffdb1056860 thread T0
#0 0x52c917 in read_capture_name8 /pcre/pcretest.c:2162:28
#1 0x51da79 in main /pcre/pcretest.c:4742:11
#2 0x7f053d55a82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x419c88 in _start (/pcre/pcretest+0x419c88)
Address 0x7ffdb1056860 is located in stack of thread T0 at offset 4192 in frame
#0 0x50b8df in main /pcre/pcretest.c:2987
This frame has 48 object(s):
[32, 56) 'lockout'
[96, 4192) 'copynames' <== Memory access at offset 4192 overflows this
variable
[4320, 8416) 'getnames'
[8544, 8552) 'cn8ptr'
[8576, 8584) 'gn8ptr'
[8608, 8616) 'endptr'
[8640, 8656) 'rlim'
[8672, 8676) 'rc137'
[8688, 8696) 'lrc'
[8720, 8728) 'arch'
[8752, 8776) 'preg'
[8816, 8824) 'error'
[8848, 8856) 'markptr'
[8880, 8888) 'get_options'
[8912, 8920) 'size'
[8944, 8948) 'erroroffset'
[8960, 8968) 'sbuf'
[8992, 8996) 'name_count'
[9008, 9012) 'name_entry_size'
[9024, 9032) 'jitsize'
[9056, 9060) 'first_char'
[9072, 9076) 'need_char'
[9088, 9092) 'match_limit'
[9104, 9108) 'recursion_limit'
[9120, 9124) 'count'
[9136, 9140) 'backrefmax'
[9152, 9156) 'first_char_set'
[9168, 9172) 'need_char_set'
[9184, 9188) 'okpartial'
[9200, 9204) 'jchanged'
[9216, 9220) 'hascrorlf'
[9232, 9236) 'maxlookbehind'
[9248, 9252) 'match_empty'
[9264, 9268) 'nameentrysize'
[9280, 9284) 'namecount'
[9296, 9304) 'nametable'
[9328, 9336) 'start_bits'
[9360, 9364) 'minlength'
[9376, 9380) 'jit'
[9392, 9400) 'sbuf1158'
[9424, 9428) 'callout_data'
[9440, 9444) 'count1219'
[9456, 9712) 'copybuffer'
[9776, 10032) 'copybuffer1979'
[10096, 10104) 'substring'
[10128, 10136) 'substring2025'
[10160, 10168) 'stringlist'
[10192, 10196) 'd'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /pcre/pcretest.c:2162:28 in
read_capture_name8
Shadow bytes around the buggy address:
0x100036202cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100036202d00: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
0x100036202d10: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
0x100036202d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100036202d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==41410==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
