FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pcre -- heap overflow vulnerability

Affected packages
pcre < 8.37_4


VuXML ID 6900e6f1-4a79-11e5-9ad8-14dae9d210b8
Discovery 2015-08-21
Entry 2015-08-24

Guanxing Wen reports:

PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex(). The Heap Overflow vulnerability is caused by the following regular expression.


A dry run of this particular regular expression with pcretest will reports "double free or corruption (!prev)". But it is actually a heap overflow problem. The overflow only affects pcre 8.x branch, pcre2 branch is not affected.