|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2003-10-28 17:31 UTC] sniper@php.net
[2011-09-29 13:01 UTC] ferenczy at volny dot cz
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Dec 01 12:00:01 2025 UTC |
Description: ------------ Variable $fileContent is a rather small html file. A function (see below) converts some comment tags and writes the output to a different file. On a RH 8 install, the maximum size of this html file is 9233 bytes. Add 1 or more characters to the html file, and the function causes a segmentation fault. PHP version is 4.2.2 which comes standard with RedHat. Also tested on a Debian 3.1 install, where the max size of the source html file proved to be 11690 bytes. Reproduce code: --------------- function revertComments($fileContent) { $pattern = "/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU"; $replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable -->"; $fileContent = preg_replace($pattern, $replace, $fileContent); return $fileContent; } Expected result: ---------------- The function should convert the input. Actual result: -------------- The script I used was called jjj.php. The output is only part of the strace. The size of the source html to be converted was 9234 bytes. open("jjj.php", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38 lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30/testjes/jjj.php", {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697 _llseek(3, 0, [0], SEEK_SET) = 0 brk(0) = 0x824c000 brk(0x8250000) = 0x8250000 ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate ioctl for device) brk(0) = 0x8250000 brk(0x8251000) = 0x8251000 read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697 read(3, "", 4096) = 0 brk(0) = 0x8251000 brk(0x8252000) = 0x8252000 read(3, "", 8192) = 0 ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate ioctl for device) close(3) = 0 munmap(0x4001a000, 4096) = 0 open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096 read(3, "to cause problems (at least that"..., 4096) = 4096 read(3, "y frustrated with the lack of pr"..., 4096) = 1043 read(3, "", 4096) = 0 close(3) = 0 munmap(0x4001a000, 4096) = 0 brk(0) = 0x8252000 brk(0x8254000) = 0x8254000 brk(0) = 0x8254000 brk(0x8259000) = 0x8259000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ The same script with the same html source file but 1 character removed has more or less the same output as above, but continues (see below) instead of segfaulting: open("/var/www/html/interselect-r30/testjes/geconverteerd.html", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192 write(3, "rustrated with the lack of progr"..., 1054) = 1054 close(3) = 0 munmap(0x4001a000, 4096) = 0 write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23 write(1, "\r\n", 2 ) = 2 write(1, "Content-type: text/html", 23Content-type: text/html) = 23 write(1, "\r\n", 2 ) = 2 write(1, "\r\n", 2 ) = 2 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0 munmap(0x408d6000, 40280) = 0 munmap(0x408e9000, 171372) = 0 munmap(0x40913000, 42104) = 0 munmap(0x4091e000, 42532) = 0 munmap(0x40792000, 797228) = 0 munmap(0x40855000, 76604) = 0 munmap(0x40868000, 384604) = 0 munmap(0x408c6000, 64436) = 0 munmap(0x40014000, 4552) = 0 munmap(0x408e0000, 34836) = 0 munmap(0x40929000, 221952) = 0 munmap(0x40016000, 14392) = 0 munmap(0x40969000, 509688) = 0 _exit(0) = ?