==3240442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b600 at pc 0x55555558efa2 bp 0x7fffffffdd30 sp 0x7fffffffd4f0
WRITE of size 1056 at 0x62a00000b600 thread T0
[Attaching after Thread 0x7ffff7c6e040 (LWP 3240442) fork to child process 3240443]
toka@tokavm:~/pcre2$ ./fuzz ./crash2
------ ./crash2 ------
Length = 145
Compile options 807de3b2 never_backslash_c,alt_bsux,alt_circumflex,alt_verbnames,anchored,dollar_endonly,dotall,extended,firstline,match_unset_backref,no_auto_capture,no_auto_possess,no_dotstar_anchor,no_start_optimize,ungreedy,utf
Match options 80002032,anchored,no_jit,noteol,partial_hard,partial_soft
Match returned 1
Match options 00000000
Match returned 1
DFA match options 80000032,anchored,noteol,partial_hard,partial_soft
Match failed: error -43: workspace size exceeded in DFA matching
DFA match options 00000000
Match failed: error -43: workspace size exceeded in DFA matching
Compile options 00100000 never_backslash_c
Match options 80002032,anchored,no_jit,noteol,partial_hard,partial_soft
=================================================================
==3240454==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b600 at pc 0x5574f8fa6fa2 bp 0x7ffea71e1c50 sp 0x7ffea71e1410
WRITE of size 1056 at 0x62a00000b600 thread T0
#0 0x5574f8fa6fa1 in __interceptor_memcpy (/home/toka/pcre2/fuzz+0x3afa1) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#1 0x5574f90795dc in pcre2_match_8 (/home/toka/pcre2/fuzz+0x10d5dc) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#2 0x5574f9060732 in LLVMFuzzerTestOneInput (/home/toka/pcre2/fuzz+0xf4732) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#3 0x5574f9061563 in main (/home/toka/pcre2/fuzz+0xf5563) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#4 0x7f73d8442d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f73d8442e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x5574f8f8b364 in _start (/home/toka/pcre2/fuzz+0x1f364) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
0x62a00000b600 is located 0 bytes after 21504-byte region [0x62a000006200,0x62a00000b600)
allocated by thread T0 here:
0 0x5574f902518e in __interceptor_malloc (/home/toka/pcre2/fuzz+0xb918e) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
#1 0x5574f907c9a2 in pcre2_match_8 (/home/toka/pcre2/fuzz+0x1109a2) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/toka/pcre2/fuzz+0x3afa1) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751) in __interceptor_memcpy
Shadow bytes around the buggy address:
0x62a00000b380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a00000b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a00000b480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a00000b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a00000b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x62a00000b600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a00000b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a00000b700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a00000b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a00000b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a00000b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3240454==ABORTING
it's also reproducible with pcre2grep
toka@tokavm:~/pcre2$ echo a > input
toka@tokavm:~/pcre2$ ./pcre2grep "(*LIMIT_HEAP=21)()((?))()()()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()" ./input
pcre2grep: pcre2_match() gave error -63 while matching this text:
a
double free or corruption (out)
Aborted (core dumped)
toka@tokavm:~/pcre2$
Hi, I encountered a heap overflow on latest pcre2
To reproduce,
0x62a00000b600 is located 0 bytes after 21504-byte region [0x62a000006200,0x62a00000b600) allocated by thread T0 here:
0 0x5574f902518e in __interceptor_malloc (/home/toka/pcre2/fuzz+0xb918e) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/toka/pcre2/fuzz+0x3afa1) (BuildId: 091cbef0f0e6259ef7989ad9ae2a43da47c36751) in __interceptor_memcpy Shadow bytes around the buggy address: 0x62a00000b380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x62a00000b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x62a00000b600:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x62a00000b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3240454==ABORTING
toka@tokavm:~/pcre2$ echo a > input toka@tokavm:~/pcre2$ ./pcre2grep "(*LIMIT_HEAP=21)()((?))()()()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()()()()()()()()()(())()()()()()()()()()()()()()" ./input pcre2grep: pcre2_match() gave error -63 while matching this text:
a
double free or corruption (out) Aborted (core dumped) toka@tokavm:~/pcre2$