[pcre-dev] [Bug 1704] New: heap-buffer-overflow in compile_branch src/pcre2_compile.c:6323

2015-10-23 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=1704

Bug ID: 1704
   Summary: heap-buffer-overflow in compile_branch
src/pcre2_compile.c:6323
   Product: PCRE
   Version: 10.20 (PCRE2)
  Hardware: x86
OS: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Code
  Assignee: p...@hermes.cam.ac.uk
  Reporter: k...@google.com
CC: pcre-dev@exim.org

Found with libFuzzer+AddressSanitizer on fresh trunk

Feed the following bytes into regcomp with REG_NOSUB
0x20,0xc0,0x60,0x27,0x33,0x28,0x28,0x70,0x28,0x3f,0x27,0x4b,

==27230==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604498f5 at pc 0x0051cae3 bp 0x7ffd3a848c90 sp 0x7ffd3a848c88
READ of size 1 at 0x604498f5 thread T0
#0 0x51cae2 in compile_branch src/pcre2_compile.c:6323:16
#1 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8
#2 0x5164bf in compile_branch src/pcre2_compile.c:6714:10
#3 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8
#4 0x5164bf in compile_branch src/pcre2_compile.c:6714:10
#5 0x4f1d7c in compile_regex src/pcre2_compile.c:7369:8
#6 0x4ec154 in pcre2_compile_8 src/pcre2_compile.c:8323:7
#7 0x5d8bc5 in regcomp src/pcre2posix.c:219:23
#8 0x4d59f6 in LLVMFuzzerTestOneInput 

(The buffer is the one passed to regcomp)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

[pcre-dev] [Bug 1705] New: heap-buffer-overflow in match src/pcre2_match.c:3321:20

2015-10-23 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=1705

Bug ID: 1705
   Summary: heap-buffer-overflow in match
src/pcre2_match.c:3321:20
   Product: PCRE
   Version: 10.20 (PCRE2)
  Hardware: x86
OS: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Code
  Assignee: p...@hermes.cam.ac.uk
  Reporter: k...@google.com
CC: pcre-dev@exim.org

Found in fresh trunk with libFuzzer+AddressSanitizer

==17410==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6060ef5f at pc 0x005b1953 bp 0x7ffca70bfb30 sp 0x7ffca70bfb28
READ of size 1 at 0x6060ef5f thread T0
#0 0x5b1952 in match src/pcre2_match.c:3321:20
#1 0x55415c in pcre2_match_8 src/pcre2_match.c:6997:8
#2 0x5da316 in regexec src/pcre2posix.c:291:6

0x6060ef5f is located 1 bytes to the left of 53-byte region
[0x6060ef60,0x6060ef95)

(the buffer passed to match())

To reproduce feed these bytes to the following target function:
0x5c,0x43,0x5b,0x5e,0x28,0x69,0x3f,0xb,0x2a,0x24,0xee,0xad,0xb4,0x24,0x4b,0x5c,0x5e,0x24,0x5d,0x7b,0x30,0x2c,0x7d,0x2f,0x64,0x2a,0xb,0x4d,

extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
  if (size < 1) return 0;
  regex_t preg;
  string str(reinterpret_cast(data), size);
  string pat(str);
  if (0 == regcomp(, pat.c_str(), data[size/2] & ~REG_NOSUB)) {
regmatch_t pmatch[5];
regexec(, str.c_str(), 5, pmatch, 0);
regfree();
  }
  return 0;
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

[pcre-dev] [Bug 1705] heap-buffer-overflow in match src/pcre2_match.c:3321:20

2015-10-23 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=1705

--- Comment #3 from Kostya Serebryany  ---
(In reply to Giuseppe D'Angelo from comment #2)
> However there's no way to exclude \C from PCRE 1, isn't it?
I hope Philip can comment.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

[pcre-dev] [Bug 1705] heap-buffer-overflow in match src/pcre2_match.c:3321:20

2015-10-23 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=1705

Giuseppe D'Angelo  changed:

   What|Removed |Added

 CC||dange...@gmail.com

--- Comment #2 from Giuseppe D'Angelo  ---
However there's no way to exclude \C from PCRE 1, isn't it?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev