Hi Matthew, hi Philip I tried to follow the status for CVE-2017-7246 (#858679), and it looks they fail still on "current" revision from upstrema VCS.
I'm on r1689 ("Fix DFA match handling of possessive repeated character class (Bugzilla 2086).") and compiling locally wit ASAN: (basically only CFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-fsanitize=address" and I'm explicitly calling configure with --enable-pcre32 --disable-shared to explicitly catch the issues): CVE-2017-7246: $ ./pcretest -32 -d ~/poc/00209-pcre-stackoverflow2-read_capture_name32 PCRE version 8.41-RC1 2017-02-01 S++C ------------------------------------------------------------------ 0 6 Bra 2 Callout 255 0 0 6 6 Ket 8 End ------------------------------------------------------------------ Capturing subpattern count = 0 May match empty string Options: No first char No need char Study returned NULL JIT support is not available in this version of PCRE Ì --->\xcc\x80 +0 ^ 0: `\C0 c --->` c +0 ^ 0: 0C (0) NXe*007å\C0 c --->NXe*007\xe5 c +0 ^ 0: 0C (0) \C*0999999999999999 --->\x16\x10 +0 ^ Callout data = -1530494977 Error -1530494977 (Unexpected value) > --->> +0 ^ 0: W+ --->W+ +0 ^ 0: --->\x10 +0 ^ 0: --->\x98 +0 ^ 0: t --->t\x12 +0 ^ 0: 8 <b --->8 <b +0 ^ 0: W+ --->\x16W+ +0 ^ 0: > t --->\x10\x0f>\x03 t\x12 +0 ^ 0: --->\x02\x10 +0 ^ 0: ++C --->++C +0 ^ 0: Ì --->\xcc\x80 +0 ^ 0: `\C0 c --->` c +0 ^ 0: 0C (0) \C*7 c --->\x16\x10 c +0 ^ Callout data = 7 +0 ^ Callout data = 7 +0 ^ Callout data = 7 +0 ^ Callout data = 7 +0 ^ Callout data = 7 +0 ^ Callout data = 7 No match \C777K --->\x16\x10K +0 ^ 0: copy substring 9 failed -7 W+ --->\x16W+ +0 ^ 0: > t --->\x10\x0f>\x03 t\x12 +0 ^ 0: \S+\d+W+ ------------------------------------------------------------------ 0 10 Bra 2 notprop Xsp + 6 prop Nd ++ 10 10 Ket 12 End ------------------------------------------------------------------ Capturing subpattern count = 0 Options: ucp No first char No need char No match ++C No match Ì No match `\C0 c No match \C*7777K777!777707å\C0 c 0: \x16\x10K777!7777\x7f07 0+ \xe5 c 0C \x16\x10K777!7777\x7f07 (14) è*0999 0: \x16\x10\x03\xe8*0999 0+ > No match 777!7777NXe*007å\C0 c 0: 777!7777\x7fNXe*007 0+ \xe5 c 0C 777!7777\x7fNXe*007 (16) \C*0999999999999999 No match > No match W+ No match No match No match t No match 8 <b No match W+ No match > t No match \S+\d+W+ ================================================================= ==29702==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd3606a90 at pc 0x7f18d6253d7b bp 0x7ffdd3605de0 sp 0x7ffdd3605590 WRITE of size 268 at 0x7ffdd3606a90 thread T0 #0 0x7f18d6253d7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) #1 0x563daf372570 in pcre32_copy_substring /root/pcre/pcre_get.c:357 #2 0x563daf1f1e1b in main /root/pcre/pcretest.c:5342 #3 0x7f18d5e792b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #4 0x563daf1dfde9 in _start (/root/pcre/pcretest+0x1bde9) Address 0x7ffdd3606a90 is located in stack of thread T0 at offset 2336 in frame #0 0x563daf1e5fa5 in main /root/pcre/pcretest.c:2987 This frame has 35 object(s): [32, 36) 'erroroffset' [96, 100) 'first_char' [160, 164) 'need_char' [224, 228) 'match_limit' [288, 292) 'recursion_limit' [352, 356) 'count' [416, 420) 'backrefmax' [480, 484) 'first_char_set' [544, 548) 'need_char_set' [608, 612) 'okpartial' [672, 676) 'jchanged' [736, 740) 'hascrorlf' [800, 804) 'maxlookbehind' [864, 868) 'match_empty' [928, 932) 'callout_data' [992, 996) 'count' [1056, 1060) 'd' [1120, 1128) 'cn32ptr' [1184, 1192) 'gn32ptr' [1248, 1256) 'cn16ptr' [1312, 1320) 'gn16ptr' [1376, 1384) 'cn8ptr' [1440, 1448) 'gn8ptr' [1504, 1512) 'error' [1568, 1576) 'markptr' [1632, 1640) 'get_options' [1696, 1704) 'size' [1760, 1768) 'nametable' [1824, 1832) 'sbuf' [1888, 1904) 'rlim' [1952, 1976) 'lockout' [2016, 2040) 'preg' [2080, 2336) 'copybuffer' [2368, 6464) 'copynames' <== Memory access at offset 2336 partially underflows this variable [6496, 10592) 'getnames' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) Shadow bytes around the buggy address: 0x10003a6b8d00: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 0x10003a6b8d10: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 0x10003a6b8d20: f2 f2 00 00 00 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 0x10003a6b8d30: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003a6b8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10003a6b8d50: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00 0x10003a6b8d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003a6b8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003a6b8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003a6b8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003a6b8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29702==ABORTING (the reproducer files are from Agostino Sarubbo git repository). Regards, Salvatore