------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=952 Summary: pcre-8.01 may access out of static array in 'make test'. Product: PCRE Version: 8.01 Platform: x86 OS/Version: Linux Status: NEW Severity: security Priority: medium Component: Code AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] In 'make test', internal_dfa_exec() accesses coptable[] with index 114, but whoes array length is 113. This bug was found using Fail-Safe C. (https://staff.aist.go.jp/y.oiwa/FailSafeC/index-en.html) $ uname -a Linux hardy2-gp01 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux $ gcc -v Using built-in specs. Target: i486-linux-gnu Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu Thread model: posix gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4) $ CFLAGS=-g ./configure --disable-shared && make (snip) $ gdb pcretest GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) b pcre_dfa_exec.c:674 Breakpoint 1 at 0x8059dc8: file pcre_dfa_exec.c, line 674. (gdb) run -q -dfa Starting program: /home/katayama/work/pcre-8.01/pcretest -q -dfa re> /(a|(bc)){0,0}?xyz/ data> xyz Breakpoint 1, internal_dfa_exec (md=0xbff962f4, this_start_code=0x8094af0 "^", current_subject=0x80886ad "xyz", start_offset=0, offsets=0x8094a10, offsetcount=44, workspace=0xbff96508, wscount=124, ims=0, rlevel=1, recursing=0) at pcre_dfa_exec.c:674 674 if (coptable[codevalue] > 0) (gdb) p codevalue $1 = 114 (gdb) p sizeof(coptable) / sizeof(coptable[0]) $2 = 113 (gdb) -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev
