php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7509 Problem (buffer overflow?) with ereg()
Submitted: 2000-10-28 06:12 UTC Modified: 2000-10-30 12:57 UTC
From: ignacio at openservices dot net Assigned:
Status: Closed Package: Regexps related
PHP Version: 4.0 Latest CVS (28/10/2000) OS: Red Hat Linux 6.2
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ignacio at openservices dot net
New email:
PHP Version: OS:

 

 [2000-10-28 06:12 UTC] ignacio at openservices dot net
When I give ereg() a sufficiently complex RE, PHP seems to roll over and die or something the next time it calls ereg(). It has exhibited this behavior since 4.0.1pl2, when we first put the code in place.

Here's the code:

"""
  while (ereg("^((.|\n)*)<[[:space:]]*[Ff][Oo][Rr][Mm][Ss][Ee][Tt][[:space:]]*([Tt][Yy][Pp][Ee]=(\"[^\"]*\"|[^\">]*))?[[:space:]]*>((.|\n)*)$", $string, $out))
  {
error_log("after 1",0);
flush();
    if ($out[4][0]=="\"")
{
error_log("after 2",0);
flush();
      $type=substr($out[4], 1, -1);
error_log("after 3",0);
flush();
}
    else
{
error_log("after 4",0);
flush();
      $type=$out[4];
error_log("after 5",0);
flush();
};
error_log("after 6",0);
    $string=$out[1].FORMSETFUN($type).$out[5];
error_log("after 7",0);
flush();
$formexists=1;
  };
error_log("after formset",0);
flush();
"""

It gets to "after 7" and then dies. If the 'while' is changed to an 'if', the problem exhibits itself on subsequent calls to ereg() further down.

PHP is configured to use the system RE libs, so I'm wondering if the problem might be in there. Nonetheless, I'm putting it in the PHP bug list so I can be sure.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-30 12:57 UTC] ignacio at openservices dot net
Hmm... configured with '--with-regex=php' and it works fine now. Oh well. Time to dig through the source and send Red Hat a bug report I suppose.
 [2002-07-10 14:24 UTC] estelle at megaphone dot ch
Solaris 8, php 4.1.2, apache 1.3.26 (dso). Recompiled PHP --with-regex=php : problem still here.
httpd child takes 100% CPU on the ereg function.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC