Hi Matthew, hi Philip I tried to follow the status for CVE-2017-7245 (#858678), and it looks they fail still on "current" revision from upstrema VCS.
I'm on r1689 ("Fix DFA match handling of possessive repeated character class (Bugzilla 2086).") and compiling locally wit ASAN: (basically only CFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with --enable-pcre32 --disable-shared to explicitly catch the issues): CVE-2017-7245: $ ./pcretest -32 -d ~/poc/00207-pcre-stackoverflow-pcre32_copy_substring PCRE version 8.41-RC1 2017-02-01 \v+S+5 ------------------------------------------------------------------ 0 4 Bra 2 \v++ 4 4 Ket 6 End ------------------------------------------------------------------ Capturing subpattern count = 0 No options No first char No need char Subject length lower bound = 1 Starting chars: \x0a \x0b \x0c \x0d \x85 \xff JIT support is not available in this version of PCRE ïnn{ÿê|:)rÿ/; /=>D No match ßïnn{ÿê|:)> + No match > No match 999 No match >/;((((((((((((((((___ÃDD No match >:$$$ÿ ù 999 No match 7NXe c No match 9 No match > No match W+ No match No match No match t No match 8 <b No match W+ No match t No match \S+\d+W+ ================================================================= ==29699==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc66c02600 at pc 0x5618f712d5bd bp 0x7ffc66c01950 sp 0x7ffc66c01948 WRITE of size 4 at 0x7ffc66c02600 thread T0 #0 0x5618f712d5bc in pcre32_copy_substring /root/pcre/pcre_get.c:358 #1 0x5618f6face1b in main /root/pcre/pcretest.c:5342 #2 0x7f5ce5d2a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #3 0x5618f6f9ade9 in _start (/root/pcre/pcretest+0x1bde9) Address 0x7ffc66c02600 is located in stack of thread T0 at offset 2336 in frame #0 0x5618f6fa0fa5 in main /root/pcre/pcretest.c:2987 This frame has 35 object(s): [32, 36) 'erroroffset' [96, 100) 'first_char' [160, 164) 'need_char' [224, 228) 'match_limit' [288, 292) 'recursion_limit' [352, 356) 'count' [416, 420) 'backrefmax' [480, 484) 'first_char_set' [544, 548) 'need_char_set' [608, 612) 'okpartial' [672, 676) 'jchanged' [736, 740) 'hascrorlf' [800, 804) 'maxlookbehind' [864, 868) 'match_empty' [928, 932) 'callout_data' [992, 996) 'count' [1056, 1060) 'd' [1120, 1128) 'cn32ptr' [1184, 1192) 'gn32ptr' [1248, 1256) 'cn16ptr' [1312, 1320) 'gn16ptr' [1376, 1384) 'cn8ptr' [1440, 1448) 'gn8ptr' [1504, 1512) 'error' [1568, 1576) 'markptr' [1632, 1640) 'get_options' [1696, 1704) 'size' [1760, 1768) 'nametable' [1824, 1832) 'sbuf' [1888, 1904) 'rlim' [1952, 1976) 'lockout' [2016, 2040) 'preg' [2080, 2336) 'copybuffer' <== Memory access at offset 2336 overflows this variable [2368, 6464) 'copynames' [6496, 10592) 'getnames' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/pcre/pcre_get.c:358 in pcre32_copy_substring Shadow bytes around the buggy address: 0x10000cd78470: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 0x10000cd78480: 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 0x10000cd78490: 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2 0x10000cd784a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd784b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10000cd784c0:[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd784d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd784e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd784f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd78500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000cd78510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29699==ABORTING (the reproducer files are from Agostino Sarubbo git repository). Regards, Salvatore