https://bugs.exim.org/show_bug.cgi?id=2778
--- Comment #3 from Giuseppe D'Angelo <dange...@gmail.com> --- 1) PCRE 8 has reached EOL, so no bugs against it will be fixed. Please always test the *latest* PCRE2 10.XX. 2) pcretest is not a tool an attacker can use, it's an internal tool for PCRE's own testing. It's OK to point out to a bug inside PCRE by providing an input to pcretest ("if you run this regexp on this input => this bad thing happens"). It's even OK to point out at a bug inside pcretest itself ("if you run it on this input it crashes"). It's NOT OK to claim a possible security issue, like a heap overflow, if this is happening inside pcretest itself. As I said, it's not a security sensitive application. 3) This is clearly a duplicate of PR 2052 and as mention of CVE-2017-7186 shows. Why are you opening bug reports for very old vulnerabilities? Are you running PCRE under a fuzzer + ASAN in order to look for security isues? Is it to test some new fuzzing technology? If so, you should build a minimal C application and stress-test the API (pcre_compile, pcre_exec and so on); *not* pcretest. You can of course test pcretest, but the any bug you find has to be appropriately targeted -- did you find a bug in the API, which *is* a security issue, or did you find a bug in pcretest, which is "nice to fix" but not THAT important? 4) PCRE (2) is already under oss-fuzz. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev