https://bugs.exim.org/show_bug.cgi?id=1779
Bug ID: 1779
Summary: Segfault in preg_match PHP 7.0.2 (stack corruption)
Product: PCRE
Version: 8.37
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: p...@hermes.cam.ac.uk
Reporter: cyo...@tripwire.com
CC: pcre-dev@exim.org
This pattern seems to be causing stack corruption when testing with php 7.0.2
preg_match() which uses PCRE 8.37: /(?(199999999999999999)(()())())/
$ gdb php
[...]
(gdb) r -r
'preg_match("/(?(199999999999999999)(()())())/","abcdef",$match,PREG_OFFSET_CAPTURE);'
Starting program: /home/spotless/php-tip/php-src-php-7.0.2/sapi/cli/php -r
'preg_match("/(?(199999999999999999)(()())())/","abcdef",$match,PREG_OFFSET_CAPTURE);'
Program received signal SIGBUS, Bus error.
0x00007ffff7f66086 in ?? ()
(gdb) exploitable
/usr/share/gdb/python/gdb/command/exploitable_lib/exploitable.py:99:
UserWarning: GDB v7.10 may not support required Python API
warnings.warn("GDB v{} may not support required Python
API".format(gdb_ver()))
Description: Possible stack corruption
Short description: PossibleStackCorruption (7/22)
Hash: 0c1178206c70e25a83bda38cae6b2cc0.0c1178206c70e25a83bda38cae6b2cc0
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack
contained return addresses that were not mapped in the inferior's process
address space and/or the stack pointer is pointing to a location outside the
default stack region. These conditions likely indicate stack corruption, which
is generally considered exploitable.
Other tags: AccessViolation (21/22)
(gdb) bt
#0 0x00007ffff7f66086 in ?? ()
#1 0x0000000000000000 in ?? ()
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
