https://bugs.exim.org/show_bug.cgi?id=2510
Bug ID: 2510
Summary: NULL-pointer deref on match of JIT-compiled regex
Product: PCRE
Version: 10.34 (PCRE2)
Hardware: x86-64
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: p...@hermes.cam.ac.uk
Reporter: m...@forallsecure.com
CC: pcre-dev@exim.org
Created attachment 1259
--> https://bugs.exim.org/attachment.cgi?id=1259&action=edit
Reproducer source file
It appears that the some combination of the THEN verb "(*THEN:" and a lookahead
"?=" (or "?<=") causes a NULL-pointer dereference later when the emitted JIT
code is executed. This bug was found with fuzzing, and I can't diagnose the
JIT code myself other than to say it's always the same instruction that
crashes: "cmp qword ptr [r15 + 8], rax" on x64.
I was able to minimize the crash to the following combination: pattern:
"(?=(*THEN: ))* |", string: " ", and have attached a reproducer source file.
Since it's a segfault in a JIT region the ASAN output and crash backtraces
aren't very useful. I can supply a dockerfile or other clarifying information
if needed, but there's nothing special about the build other than configuring
with --enable-jit.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
