CESA-2007-006 - rev 4

[See all my vulnerabilities at http://scary.beasts.org/security]

pcre integer / buffer overflows

Note - the problems noted here were actualy fixed a while ago in v6.7. However, my colleague Tavis Ormandy has found multiple serious issues in more recent versions. You really should use at least v7.3 if you need a secure pcre.

More interesting usages of pcre to parse untrusted regular expressions include: Apple Safari, including the iPhone. PHP. Others I can't yet mention :)

1) Integer overflow leading to buffer overflow.

pcre_compile:
---
/* Compute the size of data block needed and get it, either from malloc or
externally provided function. */

size = length + sizeof(real_pcre) + name_count * (max_name_size + 3);
re = (real_pcre *)(pcre_malloc)(size);
---

(?P<AAA...have 10^6 As in total...AAA>)(?P<0>)(?P<1>)...fill in this sequence...(?P<4293>)

2) Uncharacterized crash researching item #1 above: Demo:

(?P<AAA...have 100 As in total...>)(?P<0>)(?P<1>)...fill in this sequence...(?P<3999>)

3) More possible integer overflow trouble.

pcre_compile:
---
    if (min == 0)
      {
      length++;
      if (max > 0) length += (max - 1) * (duplength + 3 + 2*LINK_SIZE);
      }
...
    else
      {
      length += (min - 1) * duplength;
      if (max > min)   /* Need this test as max=-1 means no limit */
        length += (max - min) * (duplength + 3 + 2*LINK_SIZE)
          - (2 + 2*LINK_SIZE);
      }
---

Credits

• Google - this flaw was discovered in Google's time. I'm with Google's Security Team, and we're always recruiting talented security individuals. Mail me.