CVE-2022-41409: [Bug report] Endless looping in pcre2test (v10.41, commit id:3a1ad4 ) · Issue #141 · PCRE2Project/pcre2

Bug Description

Hi, we find 151 input files and pcre2test could not terminate in 60 minutes while processing them, which may trigger some dead loops.

We select one simplest input file (decompress it) to analyze the bug and the results of our analysis are as follows. (Maybe there are other situations.)

Bug Analysis

We find an endless looping may in pcre2test.c:6860
With the input (decompress it).

The relevant code snippet is as follows.

li \= strtol((const char \*)p, &endptr, 10);
i \= (int32\_t)li;
if (i\-- \== 0) {// ...}
// ...
replen \= CAST8VAR(q) \- start\_rep;
needlen += replen \* i;

  if (needlen >= dbuffer\_size)
  {
  // ...

6860: while (needlen >= dbuffer_size) dbuffer_size *= 2; // … }

1. p = "-10", li = i = -10
2. With i–, i = -11
3. With replen = CAST8VAR(q) - start_rep;, replen = 1
4. With initial value 10 and needlen += replen * i, needlen = -1 = 2 ^ 64 -1, as type(needlen) = size_t
5. Then an endless looping occurs in line: 6860.
   • In fact, the while entry condition is vulnerable. With needlen ∈ [ 2 ^ 63, 2 ^ 64), the while is very easy to trap into endless looping.

How to reproduce

1. Download the pcre2 source code with the official link and build it.
   • ./autogen.sh
   • CC=gcc CXX=g++ ./configure --disable-shared --prefix=…
   • make -j 8
   • make install
2. Executing prec2test with the provided input files
   • Decompress the zip to get all the input files.
   • cd <your install directory>
   • ./bin/pcre2test <any input file in the zip>