CVE-2006-7224 initially described several integer overflows in pcre, all described here: http://scary.beasts.org/security/CESA-2007-006.html This id should be used to describe issue #1 in that advisory: 1) Integer overflow leading to buffer overflow. pcre_compile: --- /* Compute the size of data block needed and get it, either from malloc or externally provided function. */ size = length + sizeof(real_pcre) + name_count * (max_name_size + 3); re = (real_pcre *)(pcre_malloc)(size); --- Unfortunately, a malicious regex can easily cause large "name_count" and "max_name_size" such that this calculation overflows. Demo: (?P)(?P<0>)(?P<1>)...fill in this sequence...(?P<4293>)
Reference in PCRE changelog for version 6.7: 10. There was no check on the number of named subpatterns nor the maximum length of a subpattern name. The product of these values is used to compute the size of the memory block for a compiled pattern. By supplying a very long subpattern name and a large number of named subpatterns, the size computation could be caused to overflow. This is now prevented by limiting the length of names to 32 characters, and the number of named subpatterns to 10,000.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1052.html