Skip to content

crash in cre2_find_named_capturing_groups #30

Open
Open
crash in cre2_find_named_capturing_groups#30
@hopper-vul

Description

@hopper-vul
hopper-vul
opened on Dec 19, 2022

Hi,
we found a crash in cre2_find_named_capturing_groups by using fuzzing.

When analyzing the crash dump, the program crashed at
const std::map<std::string, int>& m = TO_CONST_RE2(re)->NamedCapturingGroups();.

Here is the trigger program to help you understand and fix this crash,
looking forward to your early reply or fix, thanks.

#include "cre2.h"
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t   u8;   
typedef uint16_t  u16;  
typedef uint32_t  u32;  
typedef uint64_t  u64;
typedef int8_t  i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef float f32;
typedef double f64;
int main() {
    i8 *v0 = NULL; // pattern
    i32 v1 = 0; // pattern_len
    void *v2 = cre2_opt_new(); // opt
    if (v2 == NULL) return 0;
    void *v4 = v2; // opt
    void *v5 = cre2_new(v0, v1, v4); // re
    if (v5 == NULL) return 0;
    void *v7 = v5; // re
    i8 v8_tmp[] = {6, 6, -21, -118, -20, -37, -114, -120, -30, -56, -3, 3, 69, -46, 114, 118, 99, 76, 117, -83, -76, 119, 11, 25, -42, 127, 0, }; // name
    i8 *v8 = malloc(sizeof v8_tmp);
    memcpy(v8, v8_tmp, sizeof v8_tmp);
    i8 *v9 = v8; // name
    i8 v10_tmp[] = {74, 21, 46, -6, -50, -114, 0, 109, 109, 22, -41, -57, 37, -125, -2, -92, 120, 110, 55, 42, -110, 43, -73, -28, -93, 28, 79, 0, }; // pattern
    i8 *v10 = malloc(sizeof v10_tmp);
    memcpy(v10, v10_tmp, sizeof v10_tmp);
    i8 *v11 = v10; // pattern
    i32 v12 = 28; // pattern_len
    void *v13 = cre2_new(v11, v12, v4); // re
    if (v13 == NULL) return 0;
    void *v15 = v13; // re
    cre2_named_groups_iter_t *v16 = cre2_named_groups_iter_new(v15); // iter
    if (v16 == NULL) return 0;
    cre2_named_groups_iter_t *v18 = v16; // iter
    i32 v19_tmp[] = {511718782, 19157193, 12820848, -1277658995, -1778605620, -374704804, 545222913, 276302240, 2028354637, 1332063271, 1973481400, 1532375303, 69417297, -465807661, -1391787334, -1573236937, -1162225574, -1519906975, -857038784, 0, }; // index
    i32 *v19 = malloc(sizeof v19_tmp);
    memcpy(v19, v19_tmp, sizeof v19_tmp);
    i32 *v20 = v19; // index
    i8 **v21 = &v9; // name
    bool v22 = cre2_named_groups_iter_next(v18, v21, v20); // $relative
    i32 v23 = cre2_find_named_capturing_groups(v7, v9); // $target
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions