<table border="1" cellspacing="0" cellpadding="8">

    <tr>

        <th>Issue</th>

        <td>

            <a href=https://github.com/llvm/llvm-project/issues/64848>64848</a>

        </td>

    </tr>

    <tr>

        <th>Summary</th>

        <td>

            heap-buffer-overflow /src/llvm-project/llvm/lib/Support/regcomp.c:1641:9 in findmust

        </td>

    </tr>

    <tr>

      <th>Labels</th>

      <td>

            new issue

      </td>

    </tr>

    <tr>

      <th>Assignees</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Reporter</th>

      <td>

          CWResearcher

      </td>

    </tr>

</table>

<pre>

    # Description

I performed fuzzing on the llvm project using OSSFuzz as a reference. 

During the process of compiling regular expressions, I observed a heap-buffer-overflow crash report.

# Crash Information

- I used the following fuzzing test code:

(https://github.com/llvm/llvm-project/blob/main/llvm/tools/llvm-special-case-list-fuzzer/DummySpecialCaseListFuzzer.cpp)

```

#include "llvm/Support/MemoryBuffer.h"

#include "llvm/Support/SpecialCaseList.h"

#include <cstdlib>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

  std::unique_ptr<llvm::MemoryBuffer> Buf = llvm::MemoryBuffer::getMemBuffer(

      llvm::StringRef(reinterpret_cast<const char *>(Data), Size), "", false);

  if (!Buf)

    return 0;

  std::string Error;

  llvm::SpecialCaseList::create(Buf.get(), Error);

  return 0;

}

```

- The asan log I checked is as follows:

```

/out/llvm-special-case-list-fuzzer -rss_limit_mb=2560 -timeout=25 llvm-special-case-list-fuzzer_poc/llvm--llvm-special-case-list-fuzzer--crash-fff54cf77e0060d4984f0d431c8e9cae-2023-08-16-00:00:58 # /tmp/llvm-special-case-list-fuzzer_corpus < /dev/null

INFO: Running with entropic power schedule (0xFF, 100).

INFO: Seed: 1777987310

INFO: Loaded 1 modules   (35476 inline 8-bit counters): 35476 [0xa5f308, 0xa67d9c),

INFO: Loaded 1 PC tables (35476 PCs): 35476 [0xa67da0,0xaf26e0),

/out/llvm-special-case-list-fuzzer: Running 1 inputs 1 time(s) each.

Running: llvm-special-case-list-fuzzer_poc/llvm--llvm-special-case-list-fuzzer--crash-fff54cf77e0060d4984f0d431c8e9cae-2023-08-16-00:00:58

=================================================================

==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000630 at pc 0x00000082f4d8 bp 0x7ffd7a94c790 sp 0x7ffd7a94c788

READ of size 8 at 0x611000000630 thread T0

SCARINESS: 33 (8-byte-read-heap-buffer-overflow-far-from-bounds)

    #0 0x82f4d7 in findmust /src/llvm-project/llvm/lib/Support/regcomp.c:1641:9

    #1 0x82f4d7 in llvm_regcomp /src/llvm-project/llvm/lib/Support/regcomp.c:379:2

    #2 0x7de73b in llvm::Regex::Regex(llvm::StringRef, llvm::Regex::RegexFlags) /src/llvm-project/llvm/lib/Support/Regex.cpp:36:11

    #3 0x57bdaa in llvm::SpecialCaseList::Matcher::insert(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:50:9

    #4 0x58110f in llvm::SpecialCaseList::parse(llvm::MemoryBuffer const*, llvm::StringMap<unsigned long, llvm::MallocAllocator>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:189:16

    #5 0x57e2b5 in createInternal /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:117:8

    #6 0x57e2b5 in llvm::SpecialCaseList::create(llvm::MemoryBuffer const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:81:12

    #7 0x56da34 in LLVMFuzzerTestOneInput /src/llvm-project/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp:22:3

    #8 0x43f303 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15

    #9 0x42aa62 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6

    #10 0x43030c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9

    #11 0x459842 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

    #12 0x7f2311f4b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)

    #13 0x420c2d in _start (/out/llvm-special-case-list-fuzzer+0x420c2d)

DEDUP_TOKEN: findmust--llvm_regcomp--llvm::Regex::Regex(llvm::StringRef, llvm::Regex::RegexFlags)

0x611000000630 is located 32 bytes to the right of 208-byte region [0x611000000540,0x611000000610)

allocated by thread T0 here:

    #0 0x53089c in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3

    #1 0x82e162 in stripsnug /src/llvm-project/llvm/lib/Support/regcomp.c:1590:20

    #2 0x82e162 in llvm_regcomp /src/llvm-project/llvm/lib/Support/regcomp.c:378:2

    #3 0x7de73b in llvm::Regex::Regex(llvm::StringRef, llvm::Regex::RegexFlags) /src/llvm-project/llvm/lib/Support/Regex.cpp:36:11

    #4 0x57bdaa in llvm::SpecialCaseList::Matcher::insert(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:50:9

    #5 0x58110f in llvm::SpecialCaseList::parse(llvm::MemoryBuffer const*, llvm::StringMap<unsigned long, llvm::MallocAllocator>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:189:16

    #6 0x57e2b5 in createInternal /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:117:8

    #7 0x57e2b5 in llvm::SpecialCaseList::create(llvm::MemoryBuffer const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) /src/llvm-project/llvm/lib/Support/SpecialCaseList.cpp:81:12

    #8 0x56da34 in LLVMFuzzerTestOneInput /src/llvm-project/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp:22:3

    #9 0x43f303 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15

    #10 0x42aa62 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6

    #11 0x43030c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9

    #12 0x459842 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

    #13 0x7f2311f4b082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)

DEDUP_TOKEN: __interceptor_realloc--stripsnug--llvm_regcomp

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/llvm/lib/Support/regcomp.c:1641:9 in findmust

Shadow bytes around the buggy address:

  0x0c227fff8070: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c227fff8090: 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa

  0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00

  0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c227fff80c0: 00 00 fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa

  0x0c227fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==11==ABORTING

```

![스크린샷 2023-08-21 150841](https://github.com/llvm/llvm-project/assets/141209612/66319e55-b279-4850-8247-45bb369df6e4)

[llvm--llvm-special-case-list-fuzzer--crash-fff54cf77e0060d4984f0d431c8e9cae-2023-08-16-00.txt](https://github.com/llvm/llvm-project/files/12392743/llvm--llvm-special-case-list-fuzzer--crash-fff54cf77e0060d4984f0d431c8e9cae-2023-08-16-00.txt)

</pre>

<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzsWktz27iy_jXwposuEHyBCy_0sOa6bpyk7My9dVYqkGxKOKEIHgBMFP_6UwCpl61k7IxnJpkalUoPotH9daMBfA1SGCNXLeIVSaYkmV-I3q6Vvpr9_x0aFLpco74oVPXlirAI5mhKLTsrVUvonNDJDXSoa6U3WEHdPzzIdgWqBbtGaJpPG-i0-jeWFnrjWt7d3y_6hwcQBgRorFFjW-IlDLrmvXZCrm-nVYnGgKqhVJtONq5B46pvhAbcdhqNkao1hM3gBlRhUH_CCgSsUXRB0dc16kB9Ql036jOUWpg1aOyUtpeDrfGTRTDzjTetc0IcHAvgBnqDlYdTq6ZRnx2GnY8WjYVSVUiivS6-trYz7gJbELZYSbvui8tSbQhbuGCMX8EYE8IWRaMKwhYbIduDjFWqMTtZ02EpRROUwmDQSGMDhwA1YYt5v9l8uR_aZ8LgG2nswjdell1HWD7iSun43rks27LpKwTC2Gjyvu9cbAhb3OJG6S9TH8DLNWHsWb0eoTju-KR7NCuNrRpZkOj6WAa3FnXr1M8IYyBbC2_e_N_t4NEHNPZdizdt11vCeKlaY6GXreVLC4RN5sIKlwtGPuDSwr18QMJyINl0UA5gbOVGJpr0rfxPj8vOahLNvCf-8rHjJLqGaV8DiebwNQl3ZYX2FjfjFcZ3ptzr0O3euqy-w5owrlG2FnWn0S5LYawLhnelXAvt_HAxYXzwJncOjZ64ny6m7j2DWjTGX42mxxEEkDU4HCyc9vU-ARwcjbbXLdAnPfZhMR4mXGut9F7qxI_TMR4ulhqFRcL4tK8vV2i9dY92UHQG41Mo2fx8po7z8MMaQRjRQqNWcAPlGsuPWIE0bhkZZqY5zMLH2b5QLmO-PZkg0MYsG7mRdrkpSDRnSUohsHKDrrf7D99UsOxUuTMSfFMyCPxiFNR1ncRlnWVIaUqrOOdxTas4CkuOeSkwYJRFAeVBmAaUkmjiPxIObslyi8Sm-y2vlqXSXW_cjHM9KvxE2KLtm2Zcud8u3pFoAnd927qR_yztGrC1WnWyhE59Rg2mXGPVN27Sc7pdLNzAhpQSll-eKrlHdHkEYZZlOc-ikJ62v1GiwgpC2CinzwA4lVESZynItpEtAg8K6ZbU3s0Q4zNnAoMESaZ0K5I6otwhoFuRZlVeDpn2FUPvZ2BF4UztDb2fnVObZpWghM3oVtQsRXqs9XnpcxzFEKRbowyE4NKHMO5sAopyPYZslHSdfpCcGn2N5j_9-8iRMBy-r-_u3t25YE-qyrGGe9FKK8dRO8sWVAtikAW6TcOQ-lcaURAWuhLodrjCWR1XHIoO6Dar6yoTeVxmOQVzeoWPAb67nswdoXF7FHCn7JF6u9YoKvgwzp372eTu5u31_b3PWDfrOQ-KLxYDJxacwx7UQge1VpugUH1bmZM9gLCIAt162BnIFmrZVpveuA10YXT5lJ7sSIssTnZ7jStHyi5LEk3CNA5JNDk1E56YcVqWY5_fYyrK3NxlJ5aYi3SFWVTsLA370h2ucHv8k_GzO_LsG30WjVj5yftCzL6zp2DRJEpdjMITzBHQbZIVlRCnmM9usLfCOgY-_JGtQWeC73ft5TIcfhTCyHI5bOKOVayF9nzoiaBrWVotpDU7Occ5zomKplGlsI4P7ARhFO5bXzRUjqad7_ynAkq_Y5gec9ZhwBL6JJtjN148DGn9jPHqhHbUjJ-njeDZnuN5J5k3JOSt6Eg020e2Ue3qVOzW-z85BGHw_G8U_ZDnfk05iX_i5wuyInHxHxjnjSMJrWheyWyYkWjCT6ymJ1afS4OfMex_m8HizlR4uh5nLmppJaLYRe18_fZb1p9b_36taYTHmFt_T9BxoNs4qiMa-e1vR95INFkc_b7eYtlbnImmKUT5kTC-n5O-TDsezEez9euRHU4xUAc-oEOA954M1t8o1Y3Y09DHNjlBnzv0TIiUPUZ_17fvWnQxJoyfcWvA-oeCn2v5aR_6iMXOiVNOQH3waUTL88EfNBDG_ZayR-x_TsYLsrVDgTvxLP0FA_Oa7vH06SYROs4TJzmP_ehshGx_j71bIdtdHjtju3pqZ83zntqZreOCcm9zuWxk4dYRoe1yBMD3BrY8XaZx0Mi23warth8aykujLlPCpnTLYsrZECY-7WVT3QwVHc84pkWcJRmjZVYmYZ7mmOaiYBXL0lpgWoUV4mOqGUY-XWnJKg_OwxoRPaemcpCG7oeTrOGU8Hr-6_vlh3f_e_3W4duR2KFG2vHM4d_rc8EBwiPeLg34xRYriBg4hm7AKn9wqOVqbR3pZ3Tg7qBxJVU71J57LUk8VKAHtSHdWxuXcqyg-HKoEWCN-nD4eMTvk4jyvBwSwp82ldhZpZcavaIXZaUwoh2_lhvffekTaDcRkidL7ED9MRwWKbendabtV7-rxEhyOsyDx8z_YOj1agz-pMaIfsIaI_6nxvhxidOZGiP5p8b4S2uM9C-pMbJ_aozvqDH4D11j5D91jTGw9J-3yAj_3kUG-1OLjOjHLTLOlgJn-W4Q7EnoaYkwHrL_ens7ufvXi24QvMJx-fHx-whkLSr1eawehFZ9Ozx6UPSr1ZfdDYkjvk-3tGQsq-ua08yNHlAKNIZaPPN9ThHfK3rB-5yi_DcVnUF6TpHwir7mxQsQFd_vmr-RdH2srDxSduxAMnUf85cFvfqmiy9QhK-lqH4lRSF9LUXh9ys6mljQ4Arbyi0-qkUwRy0aO40GW2uAg-i6Rpb-YaBhQg63jXfAxoVCFI0rwOHwOmTee6GtFE2zn7k7YRoCZUAjNwFoAjQFmu06_Q-KDhqsLWisHlR7pP0QlYVGrPy6NB4lHAlVO6F7K8qP51XV4anQRlZnzLFToeEY45FYHZ0KidqiHh_vOJhLToV6g6OgKVU36qr3tPiXRhWieQrICeWPhGQrLShdDSv1KLTnA--VNKodDk16cywD9T7iM9VaIVvUsFvcD8DL_XBrLb5AqdRH-Wi8QeyFblqrBajCP-x2Cr8o9pruRQtyLCtOVdW4E3rjRm2g1o_jUO6z4M4PyFmpsjh3G3wyfXf34ebtL195SiYkyZRczwifkElMrueEh2QyI9dTMknJlPqmiEwz2D1CwEIIE8rjkCTz73nyTRiD1jHwMA4ZzdOQEbZI0yjMMUmCgmV5EPOEBpzFWRAnRRGleVWnGB8oQDL9w56NuLRb-52O1bJB7xeLcpbF0R_5CIeHuYvHRXUVVXmUiwu8CtOcJTlnaXSxvgqrMOURzUIuMppjmEdxWscsZXHMi5ylF_LKaaWchTQNQxpdIhWYZMijnCJiQklMcSNkc-l8uFR6dSGN6fEqjXnMLxpRYGP846OMtfgZfCNhjCTzC33l_S76lSExdR6bgxYrbYNXfwbHuuh1c_XisfSOuMH0jv43AAD__yoM9BQ">