PHP :: Bug #15829 :: using nonexistingn back reference in regex crashes PHP

Bug #15829	using nonexistingn back reference in regex crashes PHP
Submitted:	2002-03-02 06:47 UTC	Modified:	2002-06-17 18:57 UTC
From:	sander@php.net	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.0CVS-2002-03-0	OS:	Debian (Sid) Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sander@php.net
New email:
PHP Version:		OS:

New Comment:

[2002-03-02 06:47 UTC] sander@php.net

The testscript ext/standard/tests/reg/012.phpt (" nonexisting back reference") causes PHP to segfault:

<?php $a="abc123";
  echo ereg_replace("123",'def\1ghi',$a)?>

#0  0x4017e197 in memcpy () from /lib/libc.so.6
#1  0x08133fd5 in php_reg_replace (pattern=0x82daf4c "123", 
    replace=0x82daf64 "def\\1ghi", string=0x82daf84 "abc123", icase=0, 
    extended=1) at reg.c:377
#2  0x081343ca in php_ereg_replace (ht=3, return_value=0x82daf2c, 
    this_ptr=0x0, return_value_used=1, icase=0) at reg.c:475
#3  0x081344b5 in zif_ereg_replace (ht=3,nonexisting back reference
 return_value=0x82daf2c, 
    this_ptr=0x0, return_value_used=1) at reg.c:493
#4  0x08175b9e in execute (op_array=0x82dafcc) at ./zend_execute.c:1598
#5  0x080895ee in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#6  0x080946e6 in php_execute_script (primary_file=0xbffffa48) at main.c:1337
#7  0x08076493 in main (argc=2, argv=0xbffffac4) at php_cli.c:555
#8  0x4012265f in __libc_start_main () from /lib/libc.so.6

Configure line:
'./configure'  '--with-apxs=/usr/local/apache/bin/apxs'  '--with-mysql'  '--enable-ftp'  '--enable-sockets'  '--enable-calendar'  '--enable-bcmath'  '--with-pcntl'  '--enable-ctype'  '--with-mhash'  '--with-openssl'  '--enable-dbase'  '--with-curl'  '--enable-dbx'  '--enable-dio'  '--enable-exif'  '--with-pgsql'  '--with-pspell'  '--enable-filepro'  '--enable-gd'  '--enable-gd-native-ttf'  '--with-jpeg-dir=/usr'  '--with-png-dir=/usr'  '--with-gettext'  '--with-gmp'  '--enable-mailparse'  '--enable-mbstring'  '--enable-mbstr-enc-trans'  '--enable-mgrexeg'  '--with-zlib'  '--with-bzip2'  '--with-imap'  '--enable-inline-optimization'  '--with-readline'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-02 07:15 UTC] yohgaki@php.net

With my configuration it passes. 

Running tests in /home/yohgaki/cvs/php/DEV/ext/standard/tests/reg
=================================================================
\0 back reference                                                    ... passed

However, there is something wrong in current PHP. I got exit status 255 when run-tests.php finished. (It doesn't now)

The real problem may be in broken heap memory area by some other place.

[2002-03-02 07:24 UTC] sander@php.net

Errm...
That test passes here too:
\0 back reference                                                    ... passed

But this one doesn't:
nonexisting back reference (012.phpt)                                ... failed
(it crashes)

[2002-03-02 07:25 UTC] derick@php.net

Doesn't crash for me:

php -q

<?php $a="abc123";
  echo ereg_replace("123",'def\1ghi',$a)?>

abcdef\1ghi


Derick

[2002-03-02 07:42 UTC] sander@php.net

It crashes with a plain ./configure too btw...

[2002-04-12 12:38 UTC] cynic@php.net

I have it segfaulting there as well.

FreeBSD roman.mobil.cz 4.4-STABLE FreeBSD 4.4-STABLE #0: Wed Dec 26 12:45:18 CET 2001     root@roman.mobil.cz:/usr/obj/usr/src/sys/CRUDPUPPY_3  i386

'./configure' \
'--disable-shared' \
'--disable-session' \
'--enable-debug' \
'--enable-inline-optimization' \
'--enable-dio' \
'--enable-ftp' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-sockets' \
'--enable-tokenizer' \
'--without-mysql' \
'--with-openssl' \
'--with-zlib' \
'--with-bz2' \
'--with-curl' \
'--with-gettext' \
'--with-iconv' \
'--with-ncurses' \
'--with-readline' \
"$@"

I don't have a backtrace yet.

[2002-04-12 14:57 UTC] sniper@php.net

Doesn't crash here either..

[2002-04-12 15:09 UTC] cynic@php.net

which branch? I'm seeing this on HEAD.
I've just started a new build, will post backtrace within 20 minutes.

[2002-04-12 15:22 UTC] sander@php.net

I reported this BEFORE 4.2.0 was branched. 
I can't reproduce it anymore with todya's HEAD.

[2002-04-12 15:42 UTC] cynic@php.net

I'm afraid this will get through terribly mangled...

roman@roman ~/install/php4-latest > cat ~/tmp/ereg.test                                                  141:1
<?
    $foo = "abc123";
    echo ereg_replace("123", 'def\1ghi', $foo);
    echo "\n";
?>
roman@roman ~/install/php4-latest > ./php -c /dev/null -qC ~/tmp/ereg.test                               142:0
zsh: 84733 segmentation fault (core dumped)  ./php -c /dev/null -qC ~/tmp/ereg.test
roman@roman ~/install/php4-latest > gdb ./php ./php.core                                                 144:0
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `php'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libhistory.so.4...done.
Reading symbols from /usr/lib/libreadline.so.4...done.
Reading symbols from /usr/lib/libncurses.so.5...done.
Reading symbols from /usr/local/lib/libgiconv.so.2...done.
Reading symbols from /usr/local/lib/libintl.so.1...done.
Reading symbols from /usr/lib/libssl.so.2...done.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/local/lib/libcurl.so.2...done.
Reading symbols from /usr/lib/libbz2.so.1...done.
Reading symbols from /usr/lib/libz.so.2...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x284c7c82 in memcpy () from /usr/lib/libc.so.4
(gdb) bt
#0  0x284c7c82 in memcpy () from /usr/lib/libc.so.4
#1  0xd570337c in ?? ()
#2  0x80cd88a in php_ereg_replace (ht=3, return_value=0x820b864, this_ptr=0x0, return_value_used=1, icase=0)
    at /home/roman/install/php4-latest/ext/standard/reg.c:476
#3  0x80cd9d8 in zif_ereg_replace (ht=3, return_value=0x820b864, this_ptr=0x0, return_value_used=1)
    at /home/roman/install/php4-latest/ext/standard/reg.c:494
#4  0x815633a in execute (op_array=0x820c724) at /home/roman/install/php4-latest/Zend/zend_execute.c:1598
#5  0x8145f6d in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/roman/install/php4-latest/Zend/zend.c:810
#6  0x8118b69 in php_execute_script (primary_file=0xbfbffa78)
    at /home/roman/install/php4-latest/main/main.c:1405
#7  0x815baf4 in main (argc=5, argv=0xbfbffaf4) at /home/roman/install/php4-latest/sapi/cgi/cgi_main.c:1020
#8  0x8064819 in _start ()
(gdb)

[2002-06-17 17:19 UTC] msopacua at idg dot nl

As referred from dupe 17786.

I can't get a good backtrace, but I'm sure I have a debug build, since phpinfo() says so and I have several leak reports my error log, when running chora 1.1.
I also was able to reproduce it in apache, but the debug info is exactly the same. Even forcing CFLAGS=-g doesn't help.

[2002-06-17 17:34 UTC] sniper@php.net

There was some patch put in just today..could you try the
latest snapshot (or preferrably get all the stuff straight from CVS..if you don't do that already :)

[2002-06-17 18:44 UTC] msopacua at idg dot nl

Repository revision: 1.63    /repository/php4/ext/standard/reg.c,v

fixes the issue for me.

[2002-06-17 18:57 UTC] sniper@php.net

Good, closing these then.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 26 22:00:01 2025 UTC