[pcre-dev] [Bug 2777] pcre2_match.cin PCRE2 10.23 stack-over…

Top Page

Reply to this message
Author: admin
Date:  
To: pcre-dev
Old-Topics: [pcre-dev] [Bug 2777] New: pcre2_match.cin PCRE2 10.23 stack-overflow.
Subject: [pcre-dev] [Bug 2777] pcre2_match.cin PCRE2 10.23 stack-overflow.
https://bugs.exim.org/show_bug.cgi?id=2777

Mehmet gelisin <mehmetgelisin@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mehmetgelisin@???


--- Comment #2 from Mehmet gelisin <mehmetgelisin@???> ---
I. Summary
PCRE is a regular expression C library inspired http://www-look-4.com/ by the
regular expression capabilities in the Perl programming language. The PCRE
library is incorporated into http://www.iu-bloomington.com/ a number of
prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to a vulnerability which leads to Heap Overflow. During
the compilation of https://www.webb-dev.co.uk/ a malformed regular expression,
more data is written on the malloced block than the expected size output by
compile_regex. Exploits with advanced Heap https://waytowhatsnext.com/
Fengshui techniques may allow an attacker to execute arbitrary code in the
context of the user running the affected application.
------------------------------------------------------------------
II. Description http://www.acpirateradio.co.uk/
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.

/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
http://www.logoarts.co.uk/

A dry run of this particular regular expression with pcretest will reports
"double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as discussed. http://www.slipstone.co.uk/


Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second
compile_regexp(): http://embermanchester.uk/

==============================================================
(gdb) x/256b 0x1f8a8a0
0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00
 http://connstr.net/ 
I. Summary
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is incorporated
into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.
PCRE library is prone to http://joerg.li/
 a vulnerability which leads to Heap Overflow. During the compilation of a
malformed regular expression, more data is written on the malloced block than
the expected size output by compile_regex. Exploits with advanced Heap Fengshui
techniques may allow an attacker to execute arbitrary code in the context of
the user running the affected application. http://www.jopspeech.com/
------------------------------------------------------------------
II. Description
Latest version of PCRE is prone to a Heap Overflow vulnerability which could
caused by the following regular expression.


/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
http://www.wearelondonmade.com/

A dry run of this particular regular expression with pcretest will reports
"double free or corruption (!prev)".
But it is actually a heap overflow problem.
It is a similar problem as discussed.

Following test is conveyed with svn updated version of pcre,
Here is the memory layout of re(its size is 248) just before the second
compile_regexp():
==============================================================
(gdb) x/256b 0x1f8a8a0 http://www.compilatori.com/

0x1f8a8a0:     [0x45    0x52    0x43    0x50    0xf8    0x00    0x00    0x00
0x1f8a8a8:      0x00    0x00    0x00    0x00    0x00    0x04    0x00    0x00
0x1f8a8b0:      0xff    0xff    0xff    0xff    0xff    0xff    0xff    0xff
0x1f8a8b8:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x1f8a8c0:      0x00    0x00    0x40    0x00    0x04    0x00    0x05    0x00


--
You are receiving this mail because:
You are on the CC list for the bug.