[pcre-dev] [Bug 1704] New: heap-buffer-overflow in compile_branch src/pcre2_compile.c:6323
https://bugs.exim.org/show_bug.cgi?id=1704 Bug ID: 1704 Summary: heap-buffer-overflow in compile_branch src/pcre2_compile.c:6323 Product: PCRE Version: 10.20 (PCRE2) Hardware: x86 OS: Linux Status: NEW Severity: bug Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: k...@google.com CC: pcre-dev@exim.org Found with libFuzzer+AddressSanitizer on fresh trunk Feed the following bytes into regcomp with REG_NOSUB 0x20,0xc0,0x60,0x27,0x33,0x28,0x28,0x70,0x28,0x3f,0x27,0x4b, ==27230==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604498f5 at pc 0x0051cae3 bp 0x7ffd3a848c90 sp 0x7ffd3a848c88 READ of size 1 at 0x604498f5 thread T0 #0 0x51cae2 in compile_branch src/pcre2_compile.c:6323:16 #1 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8 #2 0x5164bf in compile_branch src/pcre2_compile.c:6714:10 #3 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8 #4 0x5164bf in compile_branch src/pcre2_compile.c:6714:10 #5 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8 #6 0x4ec154 in pcre2_compile_8 src/pcre2_compile.c:8323:7 #7 0x5d8bc5 in regcomp src/pcre2posix.c:219:23 #8 0x4d59f6 in LLVMFuzzerTestOneInput (The buffer is the one passed to regcomp) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
[pcre-dev] [Bug 1705] New: heap-buffer-overflow in match src/pcre2_match.c:3321:20
https://bugs.exim.org/show_bug.cgi?id=1705 Bug ID: 1705 Summary: heap-buffer-overflow in match src/pcre2_match.c:3321:20 Product: PCRE Version: 10.20 (PCRE2) Hardware: x86 OS: Linux Status: NEW Severity: bug Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: k...@google.com CC: pcre-dev@exim.org Found in fresh trunk with libFuzzer+AddressSanitizer ==17410==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060ef5f at pc 0x005b1953 bp 0x7ffca70bfb30 sp 0x7ffca70bfb28 READ of size 1 at 0x6060ef5f thread T0 #0 0x5b1952 in match src/pcre2_match.c:3321:20 #1 0x55415c in pcre2_match_8 src/pcre2_match.c:6997:8 #2 0x5da316 in regexec src/pcre2posix.c:291:6 0x6060ef5f is located 1 bytes to the left of 53-byte region [0x6060ef60,0x6060ef95) (the buffer passed to match()) To reproduce feed these bytes to the following target function: 0x5c,0x43,0x5b,0x5e,0x28,0x69,0x3f,0xb,0x2a,0x24,0xee,0xad,0xb4,0x24,0x4b,0x5c,0x5e,0x24,0x5d,0x7b,0x30,0x2c,0x7d,0x2f,0x64,0x2a,0xb,0x4d, extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { if (size < 1) return 0; regex_t preg; string str(reinterpret_cast(data), size); string pat(str); if (0 == regcomp(, pat.c_str(), data[size/2] & ~REG_NOSUB)) { regmatch_t pmatch[5]; regexec(, str.c_str(), 5, pmatch, 0); regfree(); } return 0; } -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
[pcre-dev] [Bug 1705] heap-buffer-overflow in match src/pcre2_match.c:3321:20
https://bugs.exim.org/show_bug.cgi?id=1705 --- Comment #3 from Kostya Serebryany--- (In reply to Giuseppe D'Angelo from comment #2) > However there's no way to exclude \C from PCRE 1, isn't it? I hope Philip can comment. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
[pcre-dev] [Bug 1705] heap-buffer-overflow in match src/pcre2_match.c:3321:20
https://bugs.exim.org/show_bug.cgi?id=1705 Giuseppe D'Angelochanged: What|Removed |Added CC||dange...@gmail.com --- Comment #2 from Giuseppe D'Angelo --- However there's no way to exclude \C from PCRE 1, isn't it? -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev