https://bugs.exim.org/show_bug.cgi?id=1660
Bug ID: 1660
Summary: pcre_exec delivers wrong offsets
Product: PCRE
Version: 8.37
Hardware: x86
OS: All
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: p...@hermes.cam.ac.uk
Reporter: a...@php.net
CC: pcre-dev@exim.org
Hi,
i was looking through the existing tickets but couldn't find anything similar.
This bug is reported on the PHP security lists and is found in PHP, however a
simple C snippet is reproducing it as well. In PHP
================= CODE ===================
<?php
$regex = '/(?=ab\K)/';
if(preg_match($regex, $regex, $matches)) {
var_dump($matches);
}
================= END CODE ==================
Basically it is the pattern (?=ab\K) that produces an issue. pcre_exec returns
1 when this pattern is matched with itself. However when looking for
substrings, the offsets produce negative numbers when used like offset[i+1] -
offset[i]. This leads to crashes when such code is used, outside of PCRE as
well as with a subsequent pcre_get_substring_list call.
Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
