Hi, I analyzed this bug a bit, and it seems clear where the bug is. However, I don't know what is the best way to fix that.
In libpcre3 8.02 pcre_config option MATCH_LIMIT and MATCH_LIMIT_RECURSION take a long integer pointer as where parameter, but instead in older pcre those take a integer pointer. (see pcreapi.3 function pcre_config and parameter MATCH_LIMIT, and implementation in pcre_config.c.) In pcre-ocaml binding package there is following stub code: /* Generic stub for getting integer results from pcre_config */ static inline int pcre_config_int(int what) { int ret; pcre_config(what, (void *) &ret); return ret; } Obviously casting pointer to ret to (unsigned long int *), and writing to that causes out of bounds write. And this is fixed in pcre-ocaml package version 6 in testing and unstable, and only causes problem with stable's pcre-ocaml version 5 packages. -- Tommi Vainikainen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org