CVE-2006-7224 initially described several integer overflows in pcre, all described here: http://scary.beasts.org/security/CESA-2007-006.html This id should be used to describe issue #2 in that advisory: 3) More possible integer overflow trouble. pcre_compile: --- if (min == 0) { length++; if (max > 0) length += (max - 1) * (duplength + 3 + 2*LINK_SIZE); } ... else { length += (min - 1) * duplength; if (max > min) /* Need this test as max=-1 means no limit */ length += (max - min) * (duplength + 3 + 2*LINK_SIZE) - (2 + 2*LINK_SIZE); } --- In both these cases, I see no reason why a malicious regexp pattern couldn't cause an integer overflow by using large min / max / duplength values. This will really mess up the critical "length" value.
Reference in PCRE changelog for version 6.7: 11. Subpatterns that are repeated with specific counts have to be replicated in the compiled pattern. The size of memory for this was computed from the length of the subpattern and the repeat count. The latter is limited to 65535, but there was no limit on the former, meaning that integer overflow could in principle occur. The compiled length of a repeated subpattern is now limited to 30,000 bytes in order to prevent this.
Looking at the RHEL-4 included pcre, the only thing I can see referencing duplength is: if (minval == 0) length++; else if (minval > 1) length += (minval - 1) * duplength; if (maxval > minval) length += (maxval - minval) * (duplength + 1); ...which does look like a bug, but the code is different (the code is basically the same for RHEL-2.1 and RHEL-3). It looks like that's the "only"[1] thing I need to fix, is that so? [1] I've also added the code to get out the loop and fail if any of the adds in the loop cross the 65535 barrier or go negative.
My comment is in reference to python's pypcre (for anyone being confused about now :).
Re comment 11: James, I'm not quite sure I understand your question, hope I do... ;) Yes, the code snippet is the place where the problem occurs. I've checked your patch. Unlike upstream pcre, it does not add arbitrary hard-coded limit (duplength <= 30000), but looks good to me.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1059.html http://rhn.redhat.com/errata/RHSA-2007-1063.html http://rhn.redhat.com/errata/RHSA-2007-1065.html http://rhn.redhat.com/errata/RHSA-2007-1068.html http://rhn.redhat.com/errata/RHSA-2007-1077.html http://rhn.redhat.com/errata/RHSA-2007-1076.html