search

PCRE2Project / pcre2

PCRE2 development is now based here.
Other
922 stars 194 forks source link

Heap-buffer-overflow on pcre2_compile_8 #294

Closed frokaikan closed 1 year ago

frokaikan commented 1 year ago

Here is the code:

#include <cstdio>
#include <cstdlib>
#define PCRE2_CODE_UNIT_WIDTH 8
extern "C" {
    #include "config.h"
    #include "pcre2.h"
}

void* readFile (char* fileName, size_t& size) {
    FILE* filePtr = fopen(fileName, "r");
    fseek(filePtr, 0, SEEK_END);
    size = ftell(filePtr);
    fseek(filePtr, 0, SEEK_SET);
    void* ret = malloc(size);
    fread(ret, size, 1, filePtr);
    return ret;
}

int main (int argc, char** argv) {
    size_t size;
    void* data = readFile(argv[1], size);
    uint32_t option = 3758785504;
    int errorCode;
    size_t offset;
    pcre2_code_8* code = pcre2_compile_8(static_cast<unsigned char*>(data), size, option, &errorCode, &offset, nullptr);

    pcre2_code_free_8(code);
}

and here is the input file: testData.txt

AddressSanitizer reports like this:

=================================================================
==1384649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000037a at pc 0x562e819fb648 bp 0x7fff3645fd90 sp 0x7fff3645fd88
READ of size 1 at 0x61700000037a thread T0
    #0 0x562e819fb647 in parse_regex pcre2/src/pcre2_compile.c:2804:3
    #1 0x562e819f393d in pcre2_compile_8 pcre2/src/pcre2_compile.c:10391:13
    #2 0x562e819d54e7 in main pcre2/TDDSuite_build/test.cc:25:26
    #3 0x7f2ca5c34082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x562e8191277d in _start (pcre2/TDDSuite_build/test.exe+0x6177d)

0x61700000037a is located 0 bytes to the right of 762-byte region [0x617000000080,0x61700000037a)
allocated by thread T0 here:
    #0 0x562e8199744e in malloc /home/frokaikan/Desktop/workspace/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x562e819d52ee in readFile(char*, unsigned long&) pcre2/TDDSuite_build/test.cc:14:17
    #2 0x562e819d547b in main pcre2/TDDSuite_build/test.cc:21:18
    #3 0x7f2ca5c34082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
PhilipHazel commented 1 year ago

This is not a bug. You have disobeyed the API. You have set the options PCRE2_UTF and PCRE2_NO_UTF_CHECK and then passed a string that is invalid UTF. This is documented to result in undefined behaviour. The option PCRE2_NO_UTF_CHECK is provided as an optimization for when you are sure the string is valid. If you are generating random strings for fuzzing purposes (for example) you must not set this option.