PHP :: Bug #73490 :: segfault in match (pcre

Bug #73490

segfault in match (pcre_exec.c)

Submitted:

2016-11-10 19:27 UTC

Modified:

2016-11-18 12:10 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

brian dot carpenter at gmail dot com

Assigned:

cmb (profile)

Status:

Not a bug

Package:

PCRE related

PHP Version:

5.6.28

OS:

Debian 8.x

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-11-10 19:27 UTC] brian dot carpenter at gmail dot com

Description:
------------
Found while fuzzing with AFL+ASan.

Test script:
---------------
<?php

$pattern = '(?(1)0|(?(1)0)+)+((()))';

$a = preg_match("/$pattern/", '2966');
var_dump($a);

Expected result:
----------------
No crash. For example, PHP 5.6.24-0+deb8u1 returns int(1).

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000060e47f in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8715) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:516
516     {
(gdb) list
511
512     static int
513     match(REGISTER PCRE_PUCHAR eptr, REGISTER const pcre_uchar *ecode,
514       PCRE_PUCHAR mstart, int offset_top, match_data *md, eptrblock *eptrb,
515       unsigned int rdepth)
516     {
517     /* These variables do not need to be preserved over recursion in this function,
518     so they can be ordinary variables in all cases. Mark some of them with
519     "register" because they are used a lot in loops. */
520
(gdb) bt
#0  0x000000000060e47f in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8715) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:516
#1  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8714) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#2  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8713) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#3  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8712) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#4  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8711) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#5  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8710) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#6  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8709) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#7  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8708) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#8  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8707) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
#9  0x000000000066b5a1 in match (eptr=0x7ffff7e63610 "2966", ecode=0x60c000006743 "\207", mstart=0x7ffff7e63610 "2966", offset_top=2,
    md=0x7fffffff9d40, eptrb=0x0, rdepth=8706) at /root/php-5.6.27/ext/pcre/pcrelib/pcre_exec.c:2061
and on and on for infinity...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-10 21:07 UTC] brian dot carpenter at gmail dot com

-Summary: segfault in pcre_exec.c +Summary: segfault in match (pcre_exec.c) -PHP Version: 5.6.27 +PHP Version: 5.6.28

[2016-11-10 21:07 UTC] brian dot carpenter at gmail dot com

Updated because it also crashes the recently released 5.6.28.

[2016-11-18 12:10 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Package: Reproducible crash +Package: PCRE related -Assigned To: +Assigned To: cmb

[2016-11-18 12:10 UTC] cmb@php.net

I can reproduce the segfault due to "infinite" recursion with the
default pcre.recursion_limit=100000. The script succeeds for me
with pcre.recursion_limit=25000, though. The result is than
correctly `bool(false)` and not `int(1)` which would be wrong.

I don't think this is a bug, because the regexp is
"pathological"[1], and pcre.recursion_limit is already
configurable.

[1] <https://swtch.com/~rsc/regexp/regexp1.html>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 16 20:00:01 2025 UTC