VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 21, 2019· Updated Aug 5, 2024

CVE-2019-19204

CVE-2019-19204

Description

Heap buffer over-read in Oniguruma's fetch_interval_quantifier allows out-of-bounds read via crafted regex.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer over-read in Oniguruma's fetch_interval_quantifier allows out-of-bounds read via crafted regex.

Vulnerability

Oniguruma versions 6.x before 6.9.4_rc2 have a heap-based buffer over-read in the fetch_interval_quantifier function in regparse.c. The issue is that PFETCH is called without checking if the pointer has reached the end of the input (PEND), leading to a read beyond the allocated buffer. This occurs when parsing a specially crafted regular expression pattern that includes an escaped brace interval like _\{21\}[1][3].

Exploitation

An attacker can trigger the vulnerability by supplying a malicious regular expression pattern to an application that uses Oniguruma. The provided proof-of-concept uses the pattern _\{21\} and compiles it with ONIG_SYNTAX_GREP. No authentication or special privileges are required; the attacker only needs to be able to submit a regex for compilation[1][3].

Impact

Successful exploitation results in a heap-based buffer over-read, which can cause a crash or disclose sensitive memory contents. The crash log from AddressSanitizer shows a read of size 1 at an invalid address, leading to denial of service. Under certain conditions, this could potentially be leveraged for information disclosure[1][3].

Mitigation

The issue is fixed in Oniguruma version 6.9.4_rc2, released on the project's GitHub page[4]. Users should upgrade to this version or later. If upgrading is not immediately possible, avoid processing untrusted regular expression patterns with affected versions of Oniguruma. No other workarounds have been published.

References
  1. GitHub - ManhNDd/CVE-2019-19204: Heap-buffer-overflow in Oniguruma (function fetch_interval_quantifier)
  2. heap-buffer-overflow in fetch_interval_quantifier due to double PFETCH
  3. Release 6.9.4 Release Candidate 2 · kkos/oniguruma

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

64

Patches

2
e03900b038a2

update HISTORY

https://github.com/kkos/onigurumaK.KosakoNov 29, 2019via osv
commit
1 file changed · +1 1
  • HISTORY+1 1 modified
    @@ -1,6 +1,6 @@
 History
 
-2019/MM/DD: Version 6.9.4
+2019/11/29: Version 6.9.4
 
 2019/11/22: Release Candidate 3 for Version 6.9.4
681824e81bb5

change pattern size to be random

https://github.com/kkos/onigurumaK.KosakoNov 14, 2019via osv
commit
1 file changed · +9 4
  • harnesses/encode-harness.c+9 4 modified
    @@ -152,7 +152,7 @@ output_data(char* path, const uint8_t * data, size_t size)
 
 
 #define EXEC_PRINT_INTERVAL  10000000
-#define MAX_PATTERN_SIZE     100
+#define MAX_PATTERN_SIZE     150
 
 #ifdef SYNTAX_TEST
 #define NUM_CONTROL_BYTES      3
@@ -238,9 +238,14 @@ int LLVMFuzzerTestOneInput(const uint8_t * Data, size_t Size)
   data++;
   remaining_size--;
 
-  pattern_size = remaining_size / 2;
-  if (pattern_size > MAX_PATTERN_SIZE)
-    pattern_size = MAX_PATTERN_SIZE;
+  //pattern_size = remaining_size / 2;
+  if (remaining_size == 0)
+    pattern_size = 0;
+  else {
+    pattern_size = INPUT_COUNT % remaining_size;
+    if (pattern_size > MAX_PATTERN_SIZE)
+      pattern_size = MAX_PATTERN_SIZE;
+  }
 
 #if defined(UTF16_BE) || defined(UTF16_LE)
   if (pattern_size % 2 == 1) pattern_size--;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.