Fortinet Discovers PCRE Library Heap Overflow Vulnerability II
Fortinet's FortiGuard Labs has discovered a heap overflow vulnerability in the PCRE (Perl Compatible Regular Expressions) library.
The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl programming language. The PCRE library is free. It is incorporated into a number of popular applications, such as MongoDB, MariaDB, PHP.
The PCRE library is prone to a heap overflow vulnerability which could be triggered by a crafted regular expression. Due to insufficient bounds checking inside the function pcre_compile2(), the heap memory could be overflowed by a crafted regular expression.
SolutionsUpgrade to the PCRE Library 8.37 or above.
A pattern containing a forward reference subroutine call within a group that also contains a recursive back reference causes incorrect code to be compiled.
This vulnerability was discovered by Kai Lu of Fortinet's FortiGuard Labs.