Issue metadata
Sign in to add a comment
|
Security: Out-Of-Bound read in Flash PCRE (regex engine)
Reported by
sweetv...@gmail.com,
Feb 19 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
There is a OOB read bug in the PCRE engine used in Flash player. This bug exists in match function while parsing the data that contains unicode.
src/pcre2_intmodedep.h
#define BACKCHAR(eptr) if ((*eptr & 0xfc00u) == 0xdc00u) eptr--
src/pcre2_match.c:3311
for(;;)
{
RMATCH(eptr, ecode, offset_top, mb, eptrb, RM21);
if (rrc != MATCH_NOMATCH) RRETURN(rrc);
if (eptr-- == pp) break; /* Stop if tried at original pos */
#ifdef SUPPORT_UNICODE
if (utf) BACKCHAR(eptr);
#endif
}
The bugs occurs BACKCHAR macro when 'eptr' points specific letter(e.g. 'Ώ' or 'ŀ' and so on).
In this case, 'eptr--' code will execute 'twice'. (First code : if (eptr-- == pp), Second code : BACKCHAR(eptr);).
And eptr's value will be lower than pp. So, It will loop until found the match data(potential info leak) or crash.
To fix this problem, we need to modify break condition.
src/pcre2_match.c:3158
if (eptr-- == pp) break; to if (eptr-- <= pp) break;
src/pcre2_match.c:3315
if (eptr-- == pp) break; to if (eptr-- <= pp) break;
VERSION
Chrome Version: 56.0.2924.87 stable
Operating System: Windows 10
Flash Version : 24.0.0.221
PCRE2 Version : 10.23
REPRODUCTION CASE
To reproduce crash in chrome
1. I attached the testcase to reproduce bug. Please download the Main.swf (or compile Main.as using mxmlc) and index.html.
2. Execute index.html
To download pcre2 engine
- You can download the source code at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
,
Feb 21 2017
,
Feb 21 2017
Hello! I attached two logs. - callstack.txt : crash log (Include call stack). - pcre2grep_asan_log.txt : ASAN output of pcre2grep. (This log will help you. pcre2grep is one of the tools of pcre2 project) Thank you.
,
Feb 21 2017
,
Mar 7 2017
ihf: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 7 2017
This is fixed in 25.0.0.127.
,
Mar 8 2017
,
Mar 13 2017
,
Mar 15 2017
,
Mar 15 2017
Congratulations! The panel decided to award $2,000 for this bug. Cheers!
,
Mar 15 2017
,
Mar 17 2017
,
Mar 18 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 18 2017
No merge's necessary.
,
Apr 4 2017
,
Jun 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Feb 20 2017Labels: Security_Severity-Medium Security_Impact-Stable OS-Windows Pri-1
Owner: ihf@chromium.org
Status: Assigned (was: Unconfirmed)