PHP :: Bug #65009 :: preg_match segmentation fault with long strings

Bug #65009

preg_match segmentation fault with long strings

Submitted:

2013-06-10 19:19 UTC

Modified:

2013-06-11 09:43 UTC

Votes:	2
Avg. Score:	3.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

r dot hampartsumyan at gmail dot com

Assigned:

Status:

Not a bug

Package:

PCRE related

PHP Version:

5.4.16

OS:

Linux (Debian 6.0 and Mint 13)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	r dot hampartsumyan at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-06-10 19:19 UTC] r dot hampartsumyan at gmail dot com

Description:
------------
When trying to match a longer string with the following regex, preg_match causes a segmentation fault - $pattern = "/^(?:%[[:xdigit:]]{2}|[A-Za-z0-9-_.!~*'()\[\];\/?:@&=+$,])*$/"; (this is the regex used in zf1's Zend_Uri_Http for validating queries).
Tested with 5.3.26, 5.4.16 and 5.5rc3
The fault is reproducible in cli as well as in apache context, though the length of the string needed may vary (for example, I managed to reproduce it in apache context with shorter string by activating a perl module that allocates more memmory /the more memmory used by the mod - the shorter the string that caused the fault/) 







Test script:
---------------
$query = str_repeat("x", 20000);
	
$pattern = "/^(?:%[[:xdigit:]]{2}|[A-Za-z0-9-_.!~*'()\[\];\/?:@&=+$,])*$/";

$status  = @preg_match($pattern, $query);

echo "success";

Expected result:
----------------
"success"

Actual result:
--------------
(gdb) bt
#0  0x080db48a in match (eptr=0xb774ebee 'x' <repeats 200 times>..., ecode=<error reading variable: Cannot access memory at address 0xbf233f44>, 
    mstart=<error reading variable: Cannot access memory at address 0xbf233f5c>, offset_top=2, md=<error reading variable: Cannot access memory at address 0xbf233f58>, 
    eptrb=<error reading variable: Cannot access memory at address 0xbf233f54>, rdepth=11624) at /home/rado/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:500
#1  0x080dc235 in match (eptr=0xb774ebee 'x' <repeats 200 times>..., ecode=0x972c8dd "}", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11623)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:1069
#2  0x080de3f5 in match (eptr=0xb774ebee 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11622)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#3  0x080de3f5 in match (eptr=0xb774ebed 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11621)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#4  0x080de3f5 in match (eptr=0xb774ebec 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11620)
    at /usr/local/phpsrcs/5.4.16/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#5  0x080de3f5 in match (eptr=0xb774ebeb 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11619)
    at /usr/local/phpsrcs/5.4.16/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#6  0x080de3f5 in match (eptr=0xb774ebea 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11618)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#7  0x080de3f5 in match (eptr=0xb774ebe9 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11617)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#8  0x080de3f5 in match (eptr=0xb774ebe8 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11616)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#9  0x080de3f5 in match (eptr=0xb774ebe7 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11615)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#10 0x080de3f5 in match (eptr=0xb774ebe6 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11614)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#11 0x080de3f5 in match (eptr=0xb774ebe5 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11613)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#12 0x080de3f5 in match (eptr=0xb774ebe4 'x' <repeats 200 times>..., ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>..., offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11612)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
.................

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-10 21:11 UTC] ab@php.net

-Status: Open +Status: Feedback

[2013-06-10 21:11 UTC] ab@php.net

Already tried to increase the backtrack and recursion limit?

[2013-06-10 21:30 UTC] r dot hampartsumyan at gmail dot com

Setting a big enough value for pcre.backtrack_limit would solve the problem but shouldn't this emit some pcre error instead of segfault? According to the example in http://php.net/manual/en/function.preg-last-error.php this should be a catchable error

[2013-06-11 09:43 UTC] ab@php.net

-Status: Feedback +Status: Not a bug

[2013-06-11 09:43 UTC] ab@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

This kind of issue cannot be catched by the error handler because it happens on a 
lower level.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 21 04:00:02 2025 UTC