https://bugs.exim.org/show_bug.cgi?id=1699
Bug ID: 1699 Summary: signed integer overflow in src/pcre2_study.c on "int branchlength" Product: PCRE Version: 10.20 (PCRE2) Hardware: x86-64 OS: Linux Status: NEW Severity: security Priority: medium Component: Code Assignee: p...@hermes.cam.ac.uk Reporter: k...@google.com CC: pcre-dev@exim.org Created attachment 835 --> https://bugs.exim.org/attachment.cgi?id=835&action=edit several reproducers in tar.gz found with LLVM libFuzzer+ubsan on fresh trunk. Build with clang -fsanitize=signed-integer-overflow, feed the attached data into this target function: extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { if (size < 1) return 0; const char *b = reinterpret_cast<const char*>(data); const char *e = reinterpret_cast<const char*>(data) + size; char *str = new char[size+1]; memcpy(str, data, size); str[size] = 0; regex_t preg; if (0 == regcomp(&preg, str, 0)) { regmatch_t pmatch[5]; regexec(&preg, str, 5, pmatch, 0); regfree(&preg); } delete [] str; return 0; } On different reproducers (all attached) the overflow happens in different places, but all on the same variable in find_minlength src/pcre2_study.c:162:18: runtime error: signed integer overflow: 1258933984 + 1254561840 cannot be represented in type 'int' src/pcre2_study.c:183:18: runtime error: signed integer overflow: 1642076300 + 1642076299 cannot be represented in type 'int' src/pcre2_study.c:559:18: runtime error: signed integer overflow: 1919010401 + 1919010391 cannot be represented in type 'int' src/pcre2_study.c:559:25: runtime error: signed integer overflow: 7252 * 4372144 cannot be represented in type 'int' src/pcre2_study.c:571:20: runtime error: signed integer overflow: 1462063878 + 1919010390 cannot be represented in type 'int' src/pcre2_study.c:592:24: runtime error: signed integer overflow: 1919010394 + 1919010390 cannot be represented in type 'int' -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev