Hide Forgot
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. References: http://seclists.org/oss-sec/2017/q3/111
Created glib2 tracking bugs for this issue: Affects: fedora-all [bug 1470109] Created mingw-glib2 tracking bugs for this issue: Affects: epel-7 [bug 1470110] Affects: fedora-all [bug 1470113] Created mingw-pcre tracking bugs for this issue: Affects: epel-7 [bug 1470112] Affects: fedora-all [bug 1470108] Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1470111]
PCRE uses stack-based recursive algorithm for matching by default. The reproducer: #include <pcreposix.h> int main(void) { regex_t regtmp; if(regcomp(®tmp, "\x28\x61\x2A\x5C\x56\x2A\x5C\x43\x2B\x29\x2A\x6F\xE5\xA2\x80", REG_UTF8) == 0) { regmatch_t pmatch[1]; regexec(®tmp, "\x6C\x6F\xE5\xA2\x80\x2D ", 1, pmatch, 0); regfree(®tmp); } return 0; } compiled with: $ gcc $(pcre-config --cflags-posix --libs-posix) test.c -O0 -g requires around 58000 KB of stack: # su - test -c 'ulimit -s 57000 && /tmp/a.out' Segmentation fault (core dumped) # su - test -c 'ulimit -s 58000 && /tmp/a.out' In my opinion this is not a bug.