libpcre: NULL pointer dereference in main (pcretest.c)

Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed a null pointer dereference in the utility itself. For the nature of the crash, it is not security relevant because the library is not affected but if you have a web application that calls directly the pcretest utility to parse untrusted data, then you are affected.
Also, it is important share the details because some distros/packagers may want to take the patch in their repository.

The complete ASan output:

# pcretest -16 -d $FILE
==26399==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052db1c bp 0x7ffc7de68070 sp 0x7ffc7de67ba0 T0)                                                                                                                                            
==26399==The signal is caused by a READ memory access.                                                                                                                                                                                                                         
==26399==Hint: address points to the zero page.                                                                                                                                                                                                                                
    #0 0x52db1b in main /tmp/portage/dev-libs/libpcre-8.40/work/pcre-8.40/pcretest.c:5083:25                                                                                                                                                                                   
    #1 0x7f70603bc78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #2 0x41b438 in _init (/usr/bin/pcretest+0x41b438) 

Affected version:
8.40

Fixed version:
8.41 (not released atm)

Commit fix:
https://vcs.pcre.org/pcre/code/trunk/pcretest.c?r1=1685&r2=1686&sortby=date

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00195-pcre-nullptr-main

Timeline:
2017-02-22: bug discovered and reported to upstream
2017-02-23: upstream released a patch
2017-03-14: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libpcre: NULL pointer dereference in main (pcretest.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *