Bugzilla – Bug 1066649
VUL-1: CVE-2017-16231: pcre: match() stack overflow
Last modified: 2020-04-01 17:00:48 UTC
Created attachment 747250 [details] proof of concept to be used with pcretest CVE-2017-16231 after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16231 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16231.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16231
Upstream rejected the issue: https://bugs.exim.org/show_bug.cgi?id=2047 It is very easy to write patterns that have extremely large search trees, and these can consume a lot of time and/or stack in the current implementation of pcre2_match(). There are options (*LIMIT_MATCH) and (*LIMIT_RECURSION) that can be used to limit the amount of stack that is used. The limits can also be set from pcretest and from programs that call the library directly. This is all well documented. I agree, closing