Heap-Buffer-Overflow in pcre2(src/pcre2_match.c:1950:11 in match)

[longuu9]

We found a heap-buffer-overflow in pcre2-10.43-DEV(src/pcre2_match.c:1950:11 in match),which can also be reproduced on pcre2-10.42.

Command Input

pcre2test -d poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==715851==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004200 at pc 0x00000067b062 bp 0x7ffc02624230 sp 0x7ffc02624228
READ of size 1 at 0x629000004200 thread T0
    #0 0x67b061 in match /root/target/Invariants/pcre2/src/pcre2_match.c:1950:11
    #1 0x63464e in pcre2_match_8 /root/target/Invariants/pcre2/src/pcre2_match.c:7307:8
    #2 0x4e8efd in process_data /root/target/Invariants/pcre2/src/pcre2test.c:7801:9
    #3 0x4cef20 in main /root/target/Invariants/pcre2/src/pcre2test.c:9470:12
    #4 0x7faa0fd05082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c35d in _start (/root/target/Invariants/pcre2/pcre2test+0x41c35d)

0x629000004200 is located 0 bytes to the right of 16384-byte region [0x629000000200,0x629000004200)
allocated by thread T0 here:
    #0 0x4978d9 in realloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x4de0d0 in process_data /root/target/Invariants/pcre2/src/pcre2test.c:6867:24
    #2 0x4cef20 in main /root/target/Invariants/pcre2/src/pcre2test.c:9470:12
    #3 0x7faa0fd05082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/target/Invariants/pcre2/src/pcre2_match.c:1950:11 in match
Shadow bytes around the buggy address:
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==715851==ABORTING

Environment

• OS: Ubuntu 20.04.1
• clang:12.0.0
• pcre2:pcre2-10.43-DEV

we built pcre2 with AddressSanitizer (ASAN) .

./configure CC=clang CXX=clang++ CFLAGS='-g -O0 -fsanitize=address' CXXFLAGS='-g -O0 -fsanitize=address' --disable-shared

pcre2-10.43-DEV configuration summary:

    Install prefix ..................... : /usr/local
    C preprocessor ..................... : clang -E
    C compiler ......................... : clang
    Linker ............................. : /usr/bin/ld -m elf_x86_64
    C preprocessor flags ............... : 
    C compiler flags ................... : -g -O0 -fsanitize=address -fvisibility=hidden
    Linker flags ....................... : 
    Extra libraries .................... : 

poc_file.zip

[PhilipHazel]

I haven't looked at the detail of this, but I can see that you have once again used no_utf_check on an invalid UTF-8 sequence, same as #229 and #230.