PHP :: Bug #40022 :: preg_match() crashes Apache

Bug #40022	preg_match() crashes Apache
Submitted:	2007-01-04 13:34 UTC	Modified:	2007-01-05 22:44 UTC
From:	jeppe at bundsgaard dot net	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	5.2.0	OS:	FreeBSD 6.1/Apache/2.2.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jeppe at bundsgaard dot net
New email:
PHP Version:		OS:

New Comment:

[2007-01-04 13:34 UTC] jeppe at bundsgaard dot net

Description:
------------
I have the same problems as reported in bug #27070. When running pretty simple preg_match'es on medium size subjects (a few 10.000 bytes), apache crashes reporting:

[Thu Jan 04 11:27:11 2007] [notice] child pid 2793 exit signal Illegal instruction (4)

I have tried with the same code as reported in #27070 - it crashes.

The scripts that crashes in real world do not crash in php 4.X.

Reproduce code:
---------------
<?php
# This script crashes Apache :

$subject = str_repeat("a",13800);
preg_match("/(a)*/",$subject);
echo "OK";

# NB: The length of $subject (here 13800) may depend on
# your system. It seems to be related to the memory_limit
# directive (mine is 8M) but not in the way that
# one would expect (it doesn't seem to be something
# like "If I give more memory, then I need a larger
# subject to crash Apache").
# It doesn't crash if I use the pattern "/a*/" instead
# of "/(a)*/".
?>


Expected result:
----------------
OK

Actual result:
--------------
This is the httpd-error.log: [Thu Jan 04 11:27:11 2007] [notice] child pid 2793 exit signal Illegal instruction (4)

This is what I can produce from the coredump. Don't know if that's what is asked for?

#0  0x00000000 in ?? ()
#1  0x294ccea4 in ?? ()
#2  0x294d5a20 in ?? ()
#3  0x280b23d8 in ?? () from /libexec/ld-elf.so.1
#4  0xbfbfea68 in ?? ()
#5  0x28098b3e in _rtld_error () from /libexec/ld-elf.so.1
#6  0x294d3308 in ?? ()
#7  0x280b1018 in tls_dtv_generation () from /libexec/ld-elf.so.1
#8  0x280b23d8 in ?? () from /libexec/ld-elf.so.1
#9  0xbfbfea78 in ?? ()
#10 0x2809908e in elf_hash () from /libexec/ld-elf.so.1
#11 0x2809b970 in dlclose () from /libexec/ld-elf.so.1
#12 0x286f72b4 in ?? () from /usr/local/libexec/apache22/libphp5.so
#13 0x286f734f in ?? () from /usr/local/libexec/apache22/libphp5.so
#14 0x286eddb4 in ?? () from /usr/local/libexec/apache22/libphp5.so
#15 0x286b7463 in ?? () from /usr/local/libexec/apache22/libphp5.so
#16 0x286b7517 in ?? () from /usr/local/libexec/apache22/libphp5.so
#17 0x28766c39 in ?? () from /usr/local/libexec/apache22/libphp5.so
#18 0x28206f1d in run_cleanups () from /usr/local/lib/libapr-1.so.2
#19 0x28207c6d in apr_pool_clear () from /usr/local/lib/libapr-1.so.2
#20 0x080619b0 in main ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-05 21:50 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You are hitting PCRE recursion, which fills the stack and 
eventually overflows it. You can set a safer limit via
ini_set("pcre.recursion_limit", 1000);

which will prevent a crash.

[2007-01-05 22:44 UTC] jeppe at bundsgaard dot net

Thanks. That did solve the problem. Sorry for the bogus submission.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 12 13:01:27 2025 UTC