CVE-2019-20454: 
PHP vulnerability analysis and mitigation

CVE-2019-20454 is an out-of-bounds read vulnerability discovered in PCRE (Perl Compatible Regular Expression) versions before 10.34. The vulnerability occurs when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. The flaw was discovered in February 2020 and specifically occurs in the do_extuni_no_utf function in pcre2_jit_compile.c (CVE-MITRE, NVD).

The vulnerability is triggered when pattern \X is JIT-compiled with the PCRE2_JIT_COMPLETE option and then matched against particular subjects in non-UTF mode. The flaw occurs in the do_extuni_no_utf function within pcre2_jit_compile.c, which uses the GETCHARINC macro to read a character. When an invalid UTF character is encountered, the value read becomes too large, causing an out-of-bounds read in the subsequent UCD_GRAPHBREAK macro execution (Red Hat Bugzilla).

Applications that use PCRE to parse untrusted input may be vulnerable to this flaw. When exploited, the vulnerability can lead to application crashes and denial of service conditions. The impact is particularly relevant when PCRE is used with JIT compilation enabled (Gentoo Security, Debian LTS).

The vulnerability has been fixed in PCRE version 10.34 and later. Users are advised to upgrade to the latest version of PCRE2. For systems where immediate upgrade is not possible, disabling JIT compilation can serve as a temporary workaround. Various Linux distributions have released security updates addressing this vulnerability, including Red Hat Enterprise Linux 8, Fedora, and Debian (Debian LTS, Fedora Update).