PHP :: Bug #38401 :: preg_match segfaults with large negative lookaheads (pcre bug)

Bug #38401	preg_match segfaults with large negative lookaheads (pcre bug)
Submitted:	2006-08-09 18:50 UTC	Modified:	2006-08-09 21:08 UTC
From:	ibexris at gmail dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.1.4	OS:	FC5
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2006-08-09 18:50 UTC] ibexris at gmail dot com

Description:
------------
This is a rehash/update of Bug #27525 (http://bugs.php.net/bug.php?id=27525), which I can't update (you guys really need a way for new people to add comments to existing tickets).

Not sure if the original submitter ever emailed Philip, but after bumping my head against this problem yesterday, I contacted him myself.

He is now able to reproduce the bug in the current version of pcre (6.7), and expects to have a fix sometime in september or october (the first chance he'll have to actually look at the code).  I've created this new ticket because there will be a pending fix upstream.

fyi, better code to reproduce:

<?php
  $string = str_repeat('x', 11000);
  $pattern = '/(.(?!b))*/';
  echo preg_match($pattern, $string);
?>

And a workaround, since none was posted before:

<?php
  $pattern = '/(.(?!b)){0,540}/';
?>

You can't go above 540 because preg_replace complains about the pattern being too large.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-08-09 19:16 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-08-09 20:27 UTC] ibexris at gmail dot com

Please test what?  I said that the pcre author knows about the problem, can replicate it, and that it will someday be fixed, not that it *is* fixed.

Anyway, I can't run a prerelease version of php -- all of my systems are in production, so it'll have to wait until php releases a new version that gets picked up by redhat/fedora.

[2006-08-09 20:53 UTC] tony2001@php.net

Not reproducible, because run-time configurable backtracking/recursion limits were added in PHP 5.2.0RC1.
Also, PCRE bugs do not belong here, this system is for PHP bugs.

[2006-08-09 20:59 UTC] ibexris at gmail dot com

You're missing the point of this bug report.  I created it because in Bug #27525, you clearly state that you would pull in the latest pcre when the bug is fixed.  Well, it *will* be fixed, so you should keep an eye out for it when it is (in fact, if this bug is kept open, I will even post an update in it when Philip writes back to tell me that it's fixed).

[2006-08-09 21:08 UTC] tony2001@php.net

Please read what I said: it's already fixed in PHP 5.2.0RC1.
We'll update PCRE as soon as the new version is out, but there is no bug in PHP and this issue doesn't affect it either.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 06 18:01:35 2024 UTC