php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28461 segmentation fault when using backreferences on a long string
Submitted: 2004-05-20 22:15 UTC Modified: 2006-01-06 03:35 UTC
Votes:14
Avg. Score:4.3 ± 1.2
Reproduced:10 of 11 (90.9%)
Same Version:6 (60.0%)
Same OS:7 (70.0%)
From: xanthor at xanthor dot tk Assigned: andrei (profile)
Status: Wont fix Package: PCRE related
PHP Version: 4.4.1 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: xanthor at xanthor dot tk
New email:
PHP Version: OS:

 

 [2004-05-20 22:15 UTC] xanthor at xanthor dot tk
Description:
------------
This line crash PHP with a segmentation fault.
It use a 3-chars-long back reference, on a 2236+3 chars-long string 


If the back references is only 2 chars long, it's ok.
If the long string is less that 2236+3 chars, it's ok too...

Reproduce code:
---------------
preg_match("/(((?<!aaa).)*)(?<!aaa)aaa/",str_repeat(' ',2236).'aaa',$z);




Expected result:
----------------
No crash, and true return by the preg_match

Actual result:
--------------
segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-08-23 11:24 UTC] xanthor at xanthor dot tk
Updating version :
I've found an other expression which segfaults also PHP 5 :
preg_match("/^((?<!a).)*/",str_repeat('b',21236),$z);
 [2004-09-10 17:01 UTC] hewei at ied dot org dot cn
preg_match("/(((?<!aaa).)*)(?<!aaa)aaa/",str_repeat(' ',10882).'aaa',$z);

crashes PHP4.3.9RC2

But not on php-4.3.2-11.1.ent (WBEL 3.0), the length
to trigger segmentation fault is about 19230.

The most funny thing is that the more closer to the limit, the more likely you will get a random segmentation fault.

Not only the above pattern will cause the error,
preg_match("/^( )*$/",str_repeat(' ',19250));
will too.
 [2004-09-16 15:50 UTC] nlopess@php.net
your last regex crashes PHP 5 also.

The segfault isn't in PHP but in pcre (this is quite normal due to the NFA nature of pcre).
 [2004-12-06 16:17 UTC] tony2001@php.net
Can't reproduce with any of dev versions (tried latest 4.3.10-dev, 5.1.0-dev & 5.0.3-dev under Linux). Please, try latest snapshots and tell me what version of pcre you're using (mine is 3.9) if you're still able to reproduce it.
 [2004-12-09 14:13 UTC] xanthor at xanthor dot tk
Still segfault with PHP 4.3.10RC2 and PCRE Library Version 	4.5 01-December-2003
 [2004-12-09 14:57 UTC] jorton@php.net
This is the standard "PCRE uses on-stack recursion" bug which has been filed and closed umpteen times.  To reproduce just increase the length of the string until exhausts your stack space.

One way PHP could mitigate the issue is to to set the match_limit field in the pcre_extra structure which puts a limit on the depth of the stack recursion.  
 [2005-11-16 04:48 UTC] xanthor at xanthor dot tk
Still crashes with 4.4.1, increasing the length of the string.
 [2005-11-20 19:34 UTC] sniper@php.net
Andrei says this is not possible to fix since we can't tell what the limit for recursion should be.

 [2005-11-20 23:41 UTC] xanthor at xanthor dot tk
> It's not really useful since it doesn't exist. Try again..
You should have been a bit faster to look at it, while it was online.

I re-paste it here :

#0  0x080ad99c in match (eptr=0x8358fe4 ' ' <repeats 200 times>..., ecode=0x834faf5 "I", offset_top=6, md=0xbffaa264, ims=0, 
    eptrb=0x0, flags=2) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:357
357     {
(gdb) bt
#0  0x080ad99c in match (eptr=0x8358fe4 ' ' <repeats 200 times>..., ecode=0x834faf5 "I", offset_top=6, md=0xbffaa264, ims=0, 
    eptrb=0x0, flags=2) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:357
#1  0x080adb9b in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:747
#2  0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#3  0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123
#4  0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#5  0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123
#6  0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#7  0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123
#8  0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#9  0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123
#10 0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#11 0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123
#12 0x080b1222 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:589
#13 0x080b2327 in match (eptr=Variable "eptr" is not available.
) at /home/xanthor/temp/web/php-4.4.1/ext/pcre/pcrelib/pcre_exec.c:1123

And same thing again and again...
 [2006-01-06 03:35 UTC] sniper@php.net
Andrei says this is not possible to fix since we can't tell what the limit for recursion should be.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC