CESA-2007-006 - rev 4

[See all my vulnerabilities at http://scary.beasts.org/security]

pcre integer / buffer overflows

Programs affected: pcre
Fixed version: v7.3
Advisory release date: Nov 7th 2007
Severity: compromise of processes using pcre to parse untrusted regex patterns.

Note - the problems noted here were actualy fixed a while ago in v6.7. However, my colleague Tavis Ormandy has found multiple serious issues in more recent versions. You really should use at least v7.3 if you need a secure pcre.

More interesting usages of pcre to parse untrusted regular expressions include: Apple Safari, including the iPhone. PHP. Others I can't yet mention :)

1) Integer overflow leading to buffer overflow.

/* Compute the size of data block needed and get it, either from malloc or
externally provided function. */

size = length + sizeof(real_pcre) + name_count * (max_name_size + 3);
re = (real_pcre *)(pcre_malloc)(size);
Unfortunately, a malicious regex can easily cause large "name_count" and "max_name_size" such that this calculation overflows. Demo:
(?P<AAA...have 10^6 As in total...AAA>)(?P<0>)(?P<1>)...fill in this sequence...(?P<4293>)
Causes crash.

2) Uncharacterized crash researching item #1 above: Demo:

(?P<AAA...have 100 As in total...>)(?P<0>)(?P<1>)...fill in this sequence...(?P<3999>)
This does not trigger the integer overflow present in #1 above, but still crashes with a serious-looking memory error of some kind - possibly a buffer overflow.

3) More possible integer overflow trouble.

    if (min == 0)
      if (max > 0) length += (max - 1) * (duplength + 3 + 2*LINK_SIZE);
      length += (min - 1) * duplength;
      if (max > min)   /* Need this test as max=-1 means no limit */
        length += (max - min) * (duplength + 3 + 2*LINK_SIZE)
          - (2 + 2*LINK_SIZE);
In both these cases, I see no reason why a malicious regexp pattern couldn't cause an integer overflow by using large min / max / duplength values. This will really mess up the critical "length" value.


CESA-2007-006 - rev 4
Chris Evans