[pcre-dev] [Bug 1699] New: signed integer overflow in src/pcre2_study.c on "int branchlength"

Tue, 06 Oct 2015 18:12:07 -0700 

https://bugs.exim.org/show_bug.cgi?id=1699

            Bug ID: 1699
           Summary: signed integer overflow in src/pcre2_study.c on "int
                    branchlength"
           Product: PCRE
           Version: 10.20 (PCRE2)
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: k...@google.com
                CC: pcre-dev@exim.org

Created attachment 835
  --> https://bugs.exim.org/attachment.cgi?id=835&action=edit
several reproducers in tar.gz

found with LLVM libFuzzer+ubsan on fresh trunk.
Build with clang -fsanitize=signed-integer-overflow, 
feed the attached data into this target function: 

extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
  if (size < 1) return 0;
  const char *b = reinterpret_cast<const char*>(data);
  const char *e = reinterpret_cast<const char*>(data) + size;
  char *str = new char[size+1];
  memcpy(str, data, size);
  str[size] = 0;
  regex_t preg;
  if (0 == regcomp(&preg, str, 0)) {
    regmatch_t pmatch[5];
    regexec(&preg, str, 5, pmatch, 0);
    regfree(&preg);
  }
  delete [] str;
  return 0;
}


On different reproducers (all attached) the overflow happens
in different places, but all on the same variable in find_minlength

src/pcre2_study.c:162:18: runtime error: signed integer overflow: 1258933984 +
1254561840 cannot be represented in type 'int'
src/pcre2_study.c:183:18: runtime error: signed integer overflow: 1642076300 +
1642076299 cannot be represented in type 'int'
src/pcre2_study.c:559:18: runtime error: signed integer overflow: 1919010401 +
1919010391 cannot be represented in type 'int'
src/pcre2_study.c:559:25: runtime error: signed integer overflow: 7252 *
4372144 cannot be represented in type 'int'
src/pcre2_study.c:571:20: runtime error: signed integer overflow: 1462063878 +
1919010390 cannot be represented in type 'int'
src/pcre2_study.c:592:24: runtime error: signed integer overflow: 1919010394 +
1919010390 cannot be represented in type 'int'

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

Reply via email to