From 28512e5b62457f0ff6f2d72e3e5c9226b9e0203d Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 22 Feb 2021 09:17:30 +0100 Subject: [PATCH] Obsolete pcre: Prevent invalid memory accesses ... with an invalid pattern passed to pcre_compile(). ==22377== Invalid write of size 1 ==22377== at 0x466E37: compile_branch (pcre.c:2001) ==22377== by 0x45FA64: compile_regex (pcre.c:2164) ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) ==22377== by 0x467B6D: regcomp (pcreposix.c:206) ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) ==22377== Address 0x7177469 is 4 bytes after a block of size 1,125 alloc'd ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==22377== by 0x45ED5C: pcre_compile (pcre.c:3054) ==22377== by 0x467B6D: regcomp (pcreposix.c:206) ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) ==22377== by 0x43ADDB: chat (jcc.c:4241) ==22377== Invalid read of size 1 ==22377== at 0x466FCC: compile_branch (pcre.c:2053) ==22377== by 0x45FA64: compile_regex (pcre.c:2164) ==22377== by 0x45EE77: pcre_compile (pcre.c:3077) ==22377== by 0x467B6D: regcomp (pcreposix.c:206) ==22377== by 0x456FFF: compile_pattern (urlmatch.c:667) ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) ==22377== Address 0x7176fb1 is 0 bytes after a block of size 1,057 alloc'd ==22377== at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==22377== by 0x44C3F0: malloc_or_die (miscutil.c:194) ==22377== by 0x456FBB: compile_pattern (urlmatch.c:662) ==22377== by 0x4571F3: compile_url_pattern (urlmatch.c:752) ==22377== by 0x456E46: create_pattern_spec (urlmatch.c:1243) ==22377== by 0x4241DF: get_url_spec_param (cgiedit.c:1870) ==22377== by 0x42448D: cgi_edit_actions_add_url (cgiedit.c:3587) ==22377== by 0x40FCE9: dispatch_known_cgi (cgi.c:588) ==22377== by 0x40FA7A: dispatch_cgi (cgi.c:383) ==22377== by 0x43C511: crunch_response_triggered (jcc.c:920) ==22377== by 0x43ADDB: chat (jcc.c:4241) ==22377== by 0x439DA5: serve (jcc.c:4778) OVE-20210222-0001. pcre 8.44 does not seem to be affected. Reported by: Joshua Rogers (Opera) --- pcre/pcre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pcre/pcre.c b/pcre/pcre.c index 4f8f82cd..9cd178e7 100644 --- a/pcre/pcre.c +++ b/pcre/pcre.c @@ -2050,7 +2050,7 @@ for (;; ptr++) /* This "while" is the end of the "do" above. */ - while (length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); + while (*ptr && length < MAXLIT && (cd->ctypes[c = *(++ptr)] & ctype_meta) == 0); /* Update the last character and the count of literals */ -- 2.39.2