Bug 383341 (CVE-2006-7227) - CVE-2006-7227 pcre integer overflow
Summary: CVE-2006-7227 pcre integer overflow
Alias: CVE-2006-7227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 411731 413871 414271
Blocks: CVE-2006-7224
TreeView+ depends on / blocked
Reported: 2007-11-14 20:49 UTC by Josh Bressers
Modified: 2019-09-29 12:22 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-11 17:37:47 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1052 0 normal SHIPPED_LIVE Important: pcre security update 2007-11-15 12:20:41 UTC

Description Josh Bressers 2007-11-14 20:49:21 UTC
CVE-2006-7224 initially described several integer overflows in pcre, all
described here:

This id should be used to describe issue #1 in that advisory:

1) Integer overflow leading to buffer overflow.

/* Compute the size of data block needed and get it, either from malloc or
externally provided function. */

size = length + sizeof(real_pcre) + name_count * (max_name_size + 3);
re = (real_pcre *)(pcre_malloc)(size);

Unfortunately, a malicious regex can easily cause large "name_count" and
"max_name_size" such that this calculation overflows. Demo:

(?P)(?P<0>)(?P<1>)...fill in this sequence...(?P<4293>)

Comment 1 Tomas Hoger 2007-11-15 10:54:14 UTC
Reference in PCRE changelog for version 6.7:

10. There was no check on the number of named subpatterns nor the maximum
    length of a subpattern name. The product of these values is used to compute
    the size of the memory block for a compiled pattern. By supplying a very
    long subpattern name and a large number of named subpatterns, the size
    computation could be caused to overflow. This is now prevented by limiting
    the length of names to 32 characters, and the number of named subpatterns
    to 10,000.

Comment 5 Red Hat Product Security 2008-01-11 17:37:47 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.