https://bugs.exim.org/show_bug.cgi?id=1660
Bug ID: 1660 Summary: pcre_exec delivers wrong offsets Product: PCRE Version: 8.37 Hardware: x86 OS: All Status: NEW Severity: security Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: a...@php.net CC: pcre-dev@exim.org Hi, i was looking through the existing tickets but couldn't find anything similar. This bug is reported on the PHP security lists and is found in PHP, however a simple C snippet is reproducing it as well. In PHP ================= CODE =================== <?php $regex = '/(?=ab\K)/'; if(preg_match($regex, $regex, $matches)) { var_dump($matches); } ================= END CODE ================== Basically it is the pattern (?=ab\K) that produces an issue. pcre_exec returns 1 when this pattern is matched with itself. However when looking for substrings, the offsets produce negative numbers when used like offset[i+1] - offset[i]. This leads to crashes when such code is used, outside of PCRE as well as with a subsequent pcre_get_substring_list call. Thanks. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev