Heap-Buffer-Overflow in pcre2(src/pcre2_match.c:1753:11 in match)

[longuu9]

We found a heap-buffer-overflow in pcre2-10.43-DEV(src/pcre2_match.c:1753:11 in match),which can also be reproduced on pcre2-10.42.

Command Input

pcre2test -d poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==316217==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004200 at pc 0x0000006701a3 bp 0x7fffbbb293b0 sp 0x7fffbbb293a8
READ of size 1 at 0x629000004200 thread T0
    #0 0x6701a2 in match /root/target/Invariants/pcre2/src/pcre2_match.c:1753:11
    #1 0x63464e in pcre2_match_8 /root/target/Invariants/pcre2/src/pcre2_match.c:7307:8
    #2 0x4e8efd in process_data /root/target/Invariants/pcre2/src/pcre2test.c:7801:9
    #3 0x4cef20 in main /root/target/Invariants/pcre2/src/pcre2test.c:9470:12
    #4 0x7fb642a2f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c35d in _start (/root/target/Invariants/pcre2/pcre2test+0x41c35d)

0x629000004200 is located 0 bytes to the right of 16384-byte region [0x629000000200,0x629000004200)
allocated by thread T0 here:
    #0 0x4978d9 in realloc /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
    #1 0x4de0d0 in process_data /root/target/Invariants/pcre2/src/pcre2test.c:6867:24
    #2 0x4cef20 in main /root/target/Invariants/pcre2/src/pcre2test.c:9470:12
    #3 0x7fb642a2f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/target/Invariants/pcre2/src/pcre2_match.c:1753:11 in match
Shadow bytes around the buggy address:
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==316217==ABORTING

Environment

• OS: Ubuntu 20.04.1
• clang:12.0.0
• pcre2:pcre2-10.43-DEV

we built pcre2 with AddressSanitizer (ASAN) .

pcre2-10.43-DEV configuration summary:

    Install prefix ..................... : /usr/local
    C preprocessor ..................... : clang -E
    C compiler ......................... : clang
    Linker ............................. : /usr/bin/ld -m elf_x86_64
    C preprocessor flags ............... : 
    C compiler flags ................... : -g -O0 -fsanitize=address -fvisibility=hidden
    Linker flags ....................... : 
    Extra libraries .................... : 

poc_file.zip

[PhilipHazel]

This is a non-issue. The test input that you have given to pcre2test that provokes the overflow is this:

/^[^a]{2,}/utf
\xfc\x80\=no_utf_check

By setting the no_utf_check flag, you are guaranteeing that the input string is valid UTF-8. Your input string is invalid. It is documented that if you do this, the result is undefined. Note that in the test file from which your input seems to be derived, the strings that have no_utf_check are not invalid.