Add fix and tests for callback enumerate (#801)

NWilson · carenas · web-flow · commit cc6c84d0207d · 2025-09-26T11:37:10.000+01:00
This is a bug in PCRE2 10.45 and 10.46, not present in 10.44 and earlier. The bug is that applications using pcre2_callout_enumerate() will crash badly on patterns with Unicode (ie non-ASCII) character classes. There is an out-of-bounds read of arbitrary length, including misinterpreting the bytes as offsets, allowing the read to jump forwards in memory to pretty much anywhere. Applications which call pcre2_callout_enumerate should potentially downgrade to PCRE2 10.44 until we release an update of PCRE2 with the fix. Since this function is (clearly!!) not used often by applications, I am not currently treating this as very high severity. There is no way for an attacker to make any application call this function, if it is not currently using it. The root cause seems to be commit 24f9d8d (#540). --------- Co-authored-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
diff --git a/src/pcre2_pattern_info.c b/src/pcre2_pattern_info.c
@@ -289,8 +289,7 @@ if (re->magic_number != MAGIC_NUMBER) return PCRE2_ERROR_BADMAGIC;
 if ((re->flags & (PCRE2_CODE_UNIT_WIDTH/8)) == 0) return PCRE2_ERROR_BADMODE;
 
 cb.version = 0;
-cc = (PCRE2_SPTR)((const uint8_t *)re + sizeof(pcre2_real_code))
-     + re->name_count * re->name_entry_size;
+cc = (PCRE2_SPTR)((uint8_t *)re + re->code_start);
 
 while (TRUE)
   {
diff --git a/src/pcre2test.c b/src/pcre2test.c
@@ -558,7 +558,6 @@ so many of them that they are split into two fields. */
 /* Combinations */
 
 #define CTL_DEBUG            (CTL_FULLBINCODE|CTL_INFO)  /* For setting */
-#define CTL_ANYINFO          (CTL_DEBUG|CTL_BINCODE|CTL_CALLOUT_INFO)
 #define CTL_ANYGLOB          (CTL_ALTGLOBAL|CTL_GLOBAL)
 
 /* Second control word */
diff --git a/src/pcre2test_inc.h b/src/pcre2test_inc.h
@@ -1258,9 +1258,16 @@ Returns:    PR_OK     continue processing next line
 static int
 show_pattern_info(void)
 {
+int rc;
 uint32_t compile_options, overall_options, extra_options;
 BOOL utf = (compiled_code->overall_options & PCRE2_UTF) != 0;
 
+if ((pat_patctl.control & CTL_MEMORY) != 0)
+  show_memory_info();
+
+if ((pat_patctl.control2 & CTL2_FRAMESIZE) != 0)
+  show_framesize();
+
 if ((pat_patctl.control & (CTL_BINCODE|CTL_FULLBINCODE)) != 0)
   {
   fprintf(outfile, "------------------------------------------------------------------\n");
@@ -1586,17 +1593,17 @@ if ((pat_patctl.control & CTL_INFO) != 0)
     }
   }
 
-if ((pat_patctl.control & CTL_CALLOUT_INFO) != 0)
+rc = pcre2_callout_enumerate(compiled_code,
+  ((pat_patctl.control & CTL_CALLOUT_INFO) != 0)? callout_enumerate_function :
+  /* Exercise the callout enumeration code with a dummy callback to make sure
+  it works. */
+  callout_enumerate_function_void, NULL);
+if (rc != 0)
   {
-  int errorcode = pcre2_callout_enumerate(compiled_code,
-    callout_enumerate_function, NULL);
-  if (errorcode != 0)
-    {
-    fprintf(outfile, "Callout enumerate failed: error %d: ", errorcode);
-    if (errorcode < 0 && !print_error_message(errorcode, "", "\n"))
-      return PR_ABEND;
-    return PR_SKIP;
-    }
+  fprintf(outfile, "Callout enumerate failed: error %d: ", rc);
+  if (rc < 0 && !print_error_message(rc, "", "\n"))
+    return PR_ABEND;
+  return PR_SKIP;
   }
 
 return PR_OK;
@@ -1763,13 +1770,9 @@ switch(cmd)
     {
     jitrc = pcre2_jit_compile(compiled_code, pat_patctl.jit);
     }
-  if ((pat_patctl.control & CTL_MEMORY) != 0) show_memory_info();
-  if ((pat_patctl.control2 & CTL2_FRAMESIZE) != 0) show_framesize();
-  if ((pat_patctl.control & CTL_ANYINFO) != 0)
-    {
-    rc = show_pattern_info();
-    if (rc != PR_OK) return rc;
-    }
+
+  rc = show_pattern_info();
+  if (rc != PR_OK) return rc;
   break;
 
   /* Save the stack of compiled patterns to a file, then empty the stack. */
@@ -1979,7 +1982,7 @@ BOOL utf;
 uint32_t k;
 uint8_t *p = buffer;
 unsigned int delimiter = *p++;
-int errorcode;
+int rc, errorcode;
 pcre2_compile_context *use_pat_context;
 PCRE2_SPTR use_pbuffer = NULL;
 uint32_t use_forbid_utf = forbid_utf;
@@ -2313,7 +2316,6 @@ if ((pat_patctl.control & CTL_POSIX) != 0)
   return PR_SKIP;
 
 #else
-  int rc;
   int cflags = 0;
   const char *msg = "** Ignored with POSIX interface:";
 
@@ -2523,7 +2525,6 @@ ends up back in the usual place. */
 
 if (pat_patctl.convert_type != CONVERT_UNSET)
   {
-  int rc;
   int convert_return = PR_OK;
   uint32_t convert_options = pat_patctl.convert_type;
   PCRE2_UCHAR *converted_pattern;
@@ -2918,13 +2919,8 @@ if ((pat_patctl.control2 & CTL2_NL_SET) != 0)
 
 /* Output code size and other information if requested. */
 
-if ((pat_patctl.control & CTL_MEMORY) != 0) show_memory_info();
-if ((pat_patctl.control2 & CTL2_FRAMESIZE) != 0) show_framesize();
-if ((pat_patctl.control & CTL_ANYINFO) != 0)
-  {
-  int rc = show_pattern_info();
-  if (rc != PR_OK) return rc;
-  }
+rc = show_pattern_info();
+if (rc != PR_OK) return rc;
 
 /* The "push" control requests that the compiled pattern be remembered on a
 stack. This is mainly for testing the serialization functionality. */

Original file line number	Diff line number	Diff line change
`@@ -289,8 +289,7 @@ if (re->magic_number != MAGIC_NUMBER) return PCRE2_ERROR_BADMAGIC;`
`289`	`289`	`if ((re->flags & (PCRE2_CODE_UNIT_WIDTH/8)) == 0) return PCRE2_ERROR_BADMODE;`
`290`	`290`
`291`	`291`	`cb.version = 0;`
`292`		`-cc = (PCRE2_SPTR)((const uint8_t *)re + sizeof(pcre2_real_code))`
`293`		`- + re->name_count * re->name_entry_size;`
	`292`	`+cc = (PCRE2_SPTR)((uint8_t *)re + re->code_start);`
`294`	`293`
`295`	`294`	`while (TRUE)`
`296`	`295`	`{`