[3.6] pcre: match() stack overflow (CVE-2017-16231)
In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash
overflow
in the function match() in pcre_exec.c because of a self-recursive
call.
References:
http://openwall.com/lists/oss-security/2017/11/01/3
http://seclists.org/oss-sec/2017/q4/164
(from redmine: issue id 8140, created on 2017-11-14, closed on 2017-12-07)
- Relations:
- parent #8138 (closed)
- Changesets:
- Revision afcf5d53 by Natanael Copa on 2017-12-04T09:03:15Z:
main/pcre: add secfixes comment for CVE-2017-16231
We are not affected by CVE-2017-16231 due to our build with
--with-match-limit-recursion=8192. We had this option since first
commit, version 7.8, and were never affected.
fixes #8140