Global-Buffer-Overflow in pcre2(src/pcre2_script_run.c:127:27 in _pcre2_script_run_8)

[longuu9]

We found a heap-buffer-overflow in pcre2-10.43-DEV(src/pcre2_script_run.c:127:27 in _pcre2_script_run_8),which can also be reproduced on pcre2-10.42.

Command Input

pcre2test -d poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==751832==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000083e4e0 at pc 0x0000007a26ca bp 0x7ffc998ee390 sp 0x7ffc998ee388
READ of size 2 at 0x00000083e4e0 thread T0
    #0 0x7a26c9 in _pcre2_script_run_8 /root/target/Invariants/pcre2/src/pcre2_script_run.c:127:27
    #1 0x77e257 in match /root/target/Invariants/pcre2/src/pcre2_match.c:5845:12
    #2 0x63464e in pcre2_match_8 /root/target/Invariants/pcre2/src/pcre2_match.c:7307:8
    #3 0x4e8efd in process_data /root/target/Invariants/pcre2/src/pcre2test.c:7801:9
    #4 0x4cef20 in main /root/target/Invariants/pcre2/src/pcre2test.c:9470:12
    #5 0x7f2a34e20082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c35d in _start (/root/target/Invariants/pcre2/pcre2test+0x41c35d)

0x00000083e4e0 is located 0 bytes to the right of global variable '_pcre2_ucd_stage1_8' defined in 'src/pcre2_ucd.c:1853:16' (0x83a0e0) of size 17408
SUMMARY: AddressSanitizer: global-buffer-overflow /root/target/Invariants/pcre2/src/pcre2_script_run.c:127:27 in _pcre2_script_run_8
Shadow bytes around the buggy address:
  0x0000800ffc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800ffc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800ffc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800ffc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800ffc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800ffc90: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0000800ffca0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800ffcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800ffcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800ffcd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800ffce0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==751832==ABORTING

Environment

• OS: Ubuntu 20.04.1
• clang:12.0.0
• pcre2:pcre2-10.43-DEV

we built pcre2 with AddressSanitizer (ASAN) .

./configure CC=clang CXX=clang++ CFLAGS='-g -O0 -fsanitize=address' CXXFLAGS='-g -O0 -fsanitize=address' --disable-shared

pcre2-10.43-DEV configuration summary:

    Install prefix ..................... : /usr/local
    C preprocessor ..................... : clang -E
    C compiler ......................... : clang
    Linker ............................. : /usr/bin/ld -m elf_x86_64
    C preprocessor flags ............... : 
    C compiler flags ................... : -g -O0 -fsanitize=address -fvisibility=hidden
    Linker flags ....................... : 
    Extra libraries .................... :

poc_file.zip

[PhilipHazel]

This is another no_utf_check instance. See #229.