Hi,
I analyzed this bug a bit, and it seems clear where the bug is. However,
I don't know what is the best way to fix that.
In libpcre3 8.02 pcre_config option MATCH_LIMIT and
MATCH_LIMIT_RECURSION take a long integer pointer as where parameter,
but instead in older pcre those take a integer pointer. (see pcreapi.3
function pcre_config and parameter MATCH_LIMIT, and implementation in
pcre_config.c.)
In pcre-ocaml binding package there is following stub code:
/* Generic stub for getting integer results from pcre_config */
static inline int pcre_config_int(int what)
{
int ret;
pcre_config(what, (void *) &ret);
return ret;
}
Obviously casting pointer to ret to (unsigned long int *), and writing
to that causes out of bounds write.
And this is fixed in pcre-ocaml package version 6 in testing and
unstable, and only causes problem with stable's pcre-ocaml version 5
packages.
--
Tommi Vainikainen
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
