librdkafka icon indicating copy to clipboard operation
librdkafka copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Fix out-of-bounds memory accesses in regex parsing

Open alpire opened this issue 3 years ago • 0 comments

This PR fixes out-of-bounds memory accesses in regex parsing found by OSS-Fuzz.

Out-of-bounds write

The implicit casting from integer to unsigned char of min & max in parserep allowed a maliciously crafted input to bypass the max < min check in parserep. This would later lead to a mismatch between the result of count and the number of emit calls, resulting in an heap out-of-bounds write in emit.

Example input: 3{3,65}3{55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555553,65}35{61,}

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27631 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27735

Out-of-bounds read in parseatom

Example input: ((((((((((((((((\17+

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28561

alpire avatar Oct 28 '21 15:10 alpire