php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14304 Potential problem with regex...
Submitted: 2001-11-30 13:40 UTC Modified: 2002-01-02 14:05 UTC
From: bajolet at toiletoine dot net Assigned:
Status: Closed Package: Regexps related
PHP Version: 4.0.6 OS: Linux php3-2 2.4.7 #1 Thu Aug 9
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bajolet at toiletoine dot net
New email:
PHP Version: OS:

 

 [2001-11-30 13:40 UTC] bajolet at toiletoine dot net
Summary :
A function works well on php 4.0.5 and enters an infinite loop on php 4.0.6.

Function entering in infinite loop :
The purpose of this function is to parse a template containing some tags, line by line, and replace them by values contained in the $t_strings array.

The input can be :
<td bgcolor="#FFCC00" colspan="2"><phpdig:previous_link src='./tpl_img/left.gif'/><phpdig:pages_bar/><phpdig:next_link src='./tpl_img/right.gif'/></td>

i think the str_replace() function don't replace anything ; the while statment stays always true, etc...

function  parse_phpdig_tags($line,$t_strings)
{
while(eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>',$line,$regs))
                 {
                 //links with images
                 if ($regs[2])
                     {
                     if ($regs[3] && $t_strings[$regs[1]])
                         {
                         if (ereg('^http',$t_strings[$regs[1]]))
                             $target = ' target="_blank"';
                         else
                             $target = '';

                         $replacement = '<A href="'.$t_strings[$regs[1]].'"'.$target.'><img src="'.$regs[3].'" border="0" align="bottom"></a>';
                         }
                     else
                         {
                         $replacement = '';
                         }
                     $line = str_replace($regs[0],$replacement,$line);
                     }
                 else
                     {
                     $line = str_replace($regs[0],$t_strings[$regs[1]],$line);
                     }
                 }

           return $line;
}

Configuration not working (php 4.0.6) :
 '../configure' '--prefix=/usr' '--prefix=/usr' '--with-regex=system' '--enable-force-cgi-redirect' '--with-config-file-path=/etc/php4/cgi' '--disable-rpath' '--disable-pear' '--enable-memory-limit' '--enable-calendar' '--enable-bcmath' '--with-bz2' '--enable-ctype' '--with-db2' '--with-ndbm' '--enable-exif' '--enable-filepro' '--with-gettext' '--enable-track-vars' '--enable-trans-sid' '--disable-debug' '--disable-static' '--with-mm' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--with-xml=/usr' '--with-expat-dir=/usr' '--with-zlib' '--enable-email' '--disable-posix' '--without-mysql' '--without-sybase-ct'

Configuration working (php 4.0.5) :
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-pgsql=/usr/local/pgsql' '--with-ldap' '--with-openssl' '--with-domxml' '--with-bcmath' '--enable-track-vars' '--with-gd=../gd-1.8.4' '--enable-freetype-4bit-antialias-hack' '--with-mysql' '--with-jpeg-dir=../jpeg-6b' '--with-png-dir=../libpng-1.0.12' '--with-freetype-dir=../freetype-2.0.4' '--with-zlib-dir=../zlib' '--with-sablot=SHARED' '--enable-bcmath' '--enable-ftp' '--enable-sockets' '--enable-magic-quotes' '--enable-versioning'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-30 13:45 UTC] bajolet at toiletoine dot net
Sorry, i forgot :
All the application in dowloadable at : http://phpdig.toiletoine.net/phpdig_1_4_3.zip
 [2001-12-01 23:43 UTC] zak@php.net
Please reduce this to a simpler test case. If there is a 
bug in str_replace, then it should be reproduceable with a 
simple one line test. Logging how the str_replace 
functions are called should let you find the culprit.

A line like this after the function calls are made should 
do the trick.
error_log ("$line = 
str_replace({$regs[0]},$replacement,$line);\n", 3, 
'./str_rep_log');

Good Luck!

 [2001-12-09 08:00 UTC] bajolet at toiletoine dot net
I isolate the bug :
this works :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_message/></i></td>',$regs);

this doesn't (php loops) :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_common_message/></i></td>',$regs);

 [2001-12-09 08:08 UTC] bajolet at toiletoine dot net
Changed bug type to Regexps
 [2001-12-11 17:39 UTC] zak@php.net
Thanks for the additional information.

I tested the code snippets provided on PHP 4.1.0 - they 
all seem to operate as expected. The input of both 
snippets (when fed to your original function) returns 
'<br><i></i></td>'

The regular expressions provided later seem to work as 
well.

The top snippet captures:

array(10) {
  [0]=>
  string(24) "<phpdig:ignore_message/>"
  [1]=>
  string(14) "ignore_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

...and the bottom snippet captures:

array(10) {
  [0]=>
  string(31) "<phpdig:ignore_common_message/>"
  [1]=>
  string(21) "ignore_common_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

Is this the output that you get with PHP 4.0.6? Please let 
me know!



 [2001-12-12 01:31 UTC] bajolet at toiletoine dot net
The problem is there...
I got the first result :

>array(10) {
>  [0]=>
>  string(24) "<phpdig:ignore_message/>"
>  [1]=>
>  string(14) "ignore_message"
>  [2]=>
>  ...

But on the second, i got nothing but a 'maximum execution time exceeded'.
I traced my code with some echoes and flush(), and it seems that the php engine stays on the eregi() function.
It not core dump, but Apache goes 100% CPU until the timeout occurs.
 [2001-12-12 01:41 UTC] zak@php.net
I cannot reproduce the problem under PHP 4.1.0. Can you 
upgrade to this version?

 [2002-01-02 14:05 UTC] lobbin@php.net
No feedback. Closing.
 [2002-07-10 13:42 UTC] estelle at megaphone dot ch
Solaris 8, Apache 1.3.26, PHP 4.1.2 : ereg function causes a 100% CPU of the httpd process and then dies with a "maximum time exceeded".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 15:01:32 2024 UTC