php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74087 Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
Submitted: 2017-02-12 09:32 UTC Modified: 2017-07-05 04:12 UTC
From: idaifish at gmail dot com Assigned:
Status: Closed Package: PCRE related
PHP Version: 7.1.1 OS: Ubuntu16.04LTS
Private report: No CVE-ID: None
 [2017-02-12 09:32 UTC] idaifish at gmail dot com
Description:
------------
Segmentation fault.

Tested on Ubuntu16.04LTS.

$ uname -a
Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies


Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";

preg_match($pattern, "helloworld");

?>


Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc 0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
    #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
    #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
    #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
    #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
    #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
    #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
    #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
    #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
    #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
    #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
    #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (/tmp/php+0x1a52c81)
    #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
    #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
    #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
    #14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
    #15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
    #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
    #17 0x7f98bd6d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x43a768 in _start (/tmp/php+0x43a768)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in compile_bracket_matchingpath


GDB backtrace:
#0  0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8, cc=0x1f04d4f "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1  0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8, cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2  0x0000000000609e7c in compile_recurse (common=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3  _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4  0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1, errorptr=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5  0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120) at ext/pcre/php_pcre.c:518
#6  0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized out>, subject_len=<optimized out>, replace_val=<optimized out>, is_callable_replace=<optimized out>, limit=<optimized out>, replace_count=<optimized out>, subject_str=<optimized out>) at ext/pcre/php_pcre.c:1132
#7  php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=<optimized out>, limit=-1, is_callable_replace=0, replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8  0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78, regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250, limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at ext/pcre/php_pcre.c:1554
#9  0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0, return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>, retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:1381

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-13 02:09 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2017-02-13 02:09 UTC] stas@php.net
Looks like PCRE issue, please report upstream to PCRE maintainers.
 [2017-02-13 08:04 UTC] idaifish at gmail dot com
-Status: Feedback +Status: Open
 [2017-02-13 08:04 UTC] idaifish at gmail dot com
Ok, I'll report it to maintainers.
 [2017-02-13 23:55 UTC] cmb@php.net
> Ok, I'll report it to maintainers.

Thanks! Please don't forget to link to the upstream report (once
it is publicly available).
 [2017-02-14 11:06 UTC] idaifish at gmail dot com
Update: Bug has been fixed.

report: https://bugs.exim.org/show_bug.cgi?id=2035
patch: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
 [2017-07-05 04:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7f4fd470635c30018d7ac71ab3b848195bf8795
Log: Fix bug #74087
 [2017-07-05 04:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2017-07-05 04:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7f4fd470635c30018d7ac71ab3b848195bf8795
Log: Fix bug #74087
 [2017-07-06 08:50 UTC] krakjoe@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73915a2bd61f21fd809b4d50af9aba950f43e807
Log: Fix bug #74087
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC