php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28875 Wrong regex crashes server
Submitted: 2004-06-21 22:58 UTC Modified: 2004-07-15 01:00 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: amoljak at cox dot net Assigned:
Status: No Feedback Package: PCRE related
PHP Version: 4.3.8-dev OS: Windows 2000 Server
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: amoljak at cox dot net
New email:
PHP Version: OS:

 

 [2004-06-21 22:58 UTC] amoljak at cox dot net
Description:
------------
Note the extra ] in the regex. Try to load this page three times and it will crash the third time.

Reproduce code:
---------------
<?php

$filecontent = "my name is amol";
$regex = "/(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees? [Ss]tudents?)([^a-zA-Z0-9-]|$)/es";

//preg_match_all($regex, $filecontent , $matches, PREG_OFFSET_CAPTURE);
preg_match($regex, $filecontent , $matches, PREG_OFFSET_CAPTURE);
print "matches = $matches<br>";

?>


Expected result:
----------------
This is from end user's code and I don't know what he expected. But he was able to crash the server... thats bad.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-22 01:24 UTC] amoljak at cox dot net
I tried PHP 4.3.8-dev and it is not crashing. So I am closing the bug. I will reopen if it occures on the machine I initially tried.

Thanks
 [2004-06-22 18:06 UTC] amoljak at cox dot net
Ok.. It crashes on two servers

And on the third machine it gives the following warning:
Warning: Compilation failed: internal error: code overflow at offset 72 in C:\work\servers\Apache2\htdocs\test\PHP\crashtest.php on line 7

(line 7 is the preg_match thing)
But it does not crash. The php.ini options are the same.

Thanks,
Amol
 [2004-07-06 15:58 UTC] sniper@php.net
What's the difference in the 3rd server to the 2 others..?
And are you aware that PCRE has certain limitations what it can handle and what not?

 [2004-07-06 18:34 UTC] scottmacvicar at ntlworld dot com
[root@devbox scott]# php -v
PHP 4.3.8-dev (cli) (built: Jul  6 2004 17:26:46)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

[root@devbox scott]# uname -a
Linux devbox 2.4.20-31.9 #1 Tue Apr 13 18:04:23 EDT 2004 i686 athlon i386 GNU/Linux

#0  0x4207491d in _int_free () from /lib/tls/libc.so.6
#1  0x42073908 in free () from /lib/tls/libc.so.6
#2  0x080bac88 in php_pcre_compile (pattern=0x82e8fa4 "(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees?[Ss]tudents?)([^a-zA-Z0-9-]|$)", 
    options=4, errorptr=0xbfffc264, erroroffset=0xbfffc268, tables=0x82e8160 "")
    at /usr/local/src/php-4.3.8-dev/ext/pcre/pcrelib/pcre.c:5088
#3  0x080c1270 in pcre_get_compiled_regex (
    regex=0x82e04cc "/(^|[^a-zA-Z0-9-])([Nn]on[-s? []]]degrees?[Ss]tudents?)([^a-zA-Z0-9-]|$)/es", extra=0xbfffc358, 
    preg_options=0xbfffc35c) at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:257
#4  0x080c1513 in php_pcre_match (ht=137265364, return_value=0x82e8114, this_ptr=0x0, return_value_used=0, global=0)
    at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:391
#5  0x080c1e59 in zif_preg_match (ht=4, return_value=0x82e8114, this_ptr=0x0, return_value_used=0)
    at /usr/local/src/php-4.3.8-dev/ext/pcre/php_pcre.c:594
#6  0x0816d836 in execute (op_array=0x82e3f14) at /usr/local/src/php-4.3.8-dev/Zend/zend_execute.c:1635
#7  0x08160ef9 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php-4.3.8-dev/Zend/zend.c:891
#8  0x0813ae67 in php_execute_script (primary_file=0xbfffe9d0) at /usr/local/src/php-4.3.8-dev/main/main.c:1731
#9  0x081724c7 in main (argc=2, argv=0xbfffea54) at /usr/local/src/php-4.3.8-dev/sapi/cli/php_cli.c:822
#10 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6
 [2004-07-15 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2007-05-13 23:06 UTC] nospam at nihonbunka dot com
This seems very similar to the PCRE bug December 2003 No. 14
http://sourceforge.net/project/shownotes.php?release_id=469336&group_id=10194)
"Bug fixes include:
...
14. A pattern such as /[ab]{1,3}+/ failed to compile, giving the error
"internal error: code overflow...". This applied to any character class
that was followed by a possessive quantifier."

The above is essentially a "this is a solution" (not that I have solved it). Why is it not a good idea to post solutions? Is this bug tracker only to help cure the latest stable versions of php? There are many people using older versions, that want to know how to make the older versions of php work. It is with them in mind that I humbly submit this suggestion - to update PCRE. 

Thank you for php.
Tim
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC