------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=962 Summary: buffer overflow in pcre_compile.c Product: PCRE Version: 8.01 Platform: Other OS/Version: Linux Status: NEW Severity: security Priority: medium Component: Code AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] There is a test in pcre_compile.c to check if the buffer holding the compiled regexp has been overrun: 2725 if (code > cd->start_workspace + COMPILE_WORK_SIZE) /* Check for overrun */ 2726 { 2727 *errorcodeptr = ERR52; 2728 goto FAILED; 2729 } The test looks to be incorrect, because when the check is true, the buffer pointed to by cd->start_workspace (which is COMPILE_WORK_SIZE bytes) will have already been overrun. There is a similar check at pcre_compile.c:2774. So, for example, on Ubuntu 8.04: $ perl -e 'print "/","("x819, ")"x819, "/"' | ./pcretest PCRE version 8.01 2010-01-19 re> re> *** stack smashing detected ***: /media/opt/src/c/pcre-8.01/.libs/lt-pcretest terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f4f138] /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f4f0f0] /media/opt/src/c/pcre-8.01/.libs/libpcre.so.0[0xb7fd7764] /media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile2+0x5f8)[0xb7fc9f18] /media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile+0x41)[0xb7fca541] /media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x804aead] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7e78450] /media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x8049141] The attached patch isn't quite right, since the offset returned in the error will be wrong and the comments in pcre_internal.h suggest that the lengths may be only minima anyway. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at http://lists.exim.org/mailman/listinfo/pcre-dev
