Out of bounds read in onig_strcpy()

[hannob]

Passing a single byte with the value 0xD8 will cause an out of bounds read access.
This was found with libfuzzer and address sanitizer, tested against develop branch of oniguruma.

Example code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[1] = { 0xd8 };

    onig_new(&reg, inp, inp + 1, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

Address Sanitizer stack trace:

==15218==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea0eeb01 at pc 0x0000004ab6d5 bp 0x7fffea0edd70 sp 0x7fffea0ed520
READ of size 2 at 0x7fffea0eeb01 thread T0
    #0 0x4ab6d4 in __asan_memcpy (/mnt/ram/a.out+0x4ab6d4)
    #1 0x4f55e5 in onig_strcpy /mnt/ram/oniguruma/src/regparse.c:231:5
    #2 0x4f55e5 in onig_node_str_cat /mnt/ram/oniguruma/src/regparse.c:1350
    #3 0x506ee4 in node_new_str /mnt/ram/oniguruma/src/regparse.c:1409:7
    #4 0x506ee4 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4912
    #5 0x505891 in parse_branch /mnt/ram/oniguruma/src/regparse.c:5206:7
    #6 0x50189a in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5243:7
    #7 0x4f8040 in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5288:7
    #8 0x4f8040 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5315
    #9 0x528d41 in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #10 0x551d0f in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #11 0x4f21dc in main /mnt/ram/oob.c:7:5
    #12 0x7fa84b0a978f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x419708 in _start (/mnt/ram/a.out+0x419708)

Address 0x7fffea0eeb01 is located in stack of thread T0 at offset 65 in frame
    #0 0x4f205f in main /mnt/ram/oob.c:3

  This frame has 2 object(s):
    [32, 40) 'reg'
    [64, 65) 'inp' <== Memory access at offset 65 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/mnt/ram/a.out+0x4ab6d4) in __asan_memcpy
Shadow bytes around the buggy address:
  0x10007d415d10: 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 f3 f3
  0x10007d415d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
=>0x10007d415d60:[01]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d415db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15218==ABORTING

[kkos]

Thank you for the report.
I have fixed it in develop branch.

[hannob]

It seems this is not fully fixed, a different input (bytes 0x5c, 0xda) still cause an out of bounds. Test code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[2] = { '\\', 0xd8 };

    onig_new(&reg, inp, inp + 2, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

ASAN error:

==29231==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd81832a2 at pc 0x0000004ab6d5 bp 0x7fffd8181ae0 sp 0x7fffd8181290
READ of size 2 at 0x7fffd81832a2 thread T0
    #0 0x4ab6d4 in __asan_memcpy (/mnt/ram/oniguruma/a.out+0x4ab6d4)
    #1 0x4f276c in onig_strcpy /mnt/ram/oniguruma/src/regparse.c:230:5
    #2 0x4f7856 in onig_node_str_cat /mnt/ram/oniguruma/src/regparse.c:1349:7
    #3 0x4f8531 in node_new_str /mnt/ram/oniguruma/src/regparse.c:1408:7
    #4 0x511fe2 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4911:13
    #5 0x51089b in parse_branch /mnt/ram/oniguruma/src/regparse.c:5205:7
    #6 0x50745d in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5242:7
    #7 0x4faf0f in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5287:7
    #8 0x4fa754 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5319:7
    #9 0x53e97f in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #10 0x54ee52 in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #11 0x4f21dc in main (/mnt/ram/oniguruma/a.out+0x4f21dc)
    #12 0x7f540f06678f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x419708 in _start (/mnt/ram/oniguruma/a.out+0x419708)

Address 0x7fffd81832a2 is located in stack of thread T0 at offset 66 in frame
    #0 0x4f205f in main (/mnt/ram/oniguruma/a.out+0x4f205f)

  This frame has 2 object(s):
    [32, 40) 'reg'
    [64, 66) 'inp' <== Memory access at offset 66 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/mnt/ram/oniguruma/a.out+0x4ab6d4) in __asan_memcpy
Shadow bytes around the buggy address:
  0x10007b028600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10007b028650: 00 f2 f2 f2[02]f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007b028660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b028690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b0286a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29231==ABORTING

[kkos]

Thanks again.
I have fixed it in develop branch.
(commit: 873ba2d)