php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41448 segmentation fault
Submitted: 2007-05-20 08:22 UTC Modified: 2007-05-21 08:57 UTC
From: whitephoenix at mail dot ru Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.2.2 OS: CentOS 4.3 64-Bit
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: whitephoenix at mail dot ru
New email:
PHP Version: OS:

 

 [2007-05-20 08:22 UTC] whitephoenix at mail dot ru 
Description:
------------
The following source gives segfault on CentOS 4.3 64-Bit and  PHP 5.2.2.
Don't be scared, this regular expression is real parser for my templates-engine, and it works with other operation systems.
The result depends on Subject, so with '$var' it works well, but if '$var[anything]' then crashes.

Reproduce code:
---------------
<?php
echo 'proof of compilation'."\n";
preg_replace(
    '~(([\'"]).*?(?<!\\\\)\2|\w*\s*\(((?:(?R)|.)*?)\)'
    .'|[\$#]\w+#?(?:\\[(?:(?R)|((?:[^\\]\'"]*(?:([\'"]).*?(?<!\\\\)\5)?)*))*?\\]|\.[\$#]?\w+#?|->\s*[\$#]?\w+(?:\(((?:(?R)|.)*?)\))?)*'
    .'|-?\d+|(?<=^|[\s\)\:\.=+\-<>])(?:\w+)(?=$|[\s\|\.\:\(=+\-<>]))(\s+(?:is(?:\s+not)?\s+(?:odd|div|even)\s+by\s+-?\d+|is(?:\s+not)?\s+(?:odd|even)))?((?:\|@?\w+(?:\\:(?:'.'\w*\(((?:(?R)|.)*?)\)|[\$#]\w+#?(?:\\[(?:(?R)|((?:[^\\]\'"]*(?:([\'"]).*?(?<!\\\\)\11)?)*))*?\\]|\.[\$#]?\w+#?)*|[^\'"\:]*(?:[^\'"\:]*([\'"]).*?(?<!\\\\)\12[^\'"\:]*)*'.'))*)*)'
    .'|((?<=\s|\))(?:is\s+not|is|not\s+eq|eq|neq?|gt|lt|gt?e|ge|lt?e|mod)(?=\s|\()|(?:not\s+))'
    .'~si','any replacement','$var[index]');

Expected result:
----------------
"any replacement"

Actual result:
--------------
[root@72 _test]# php -q bug.php
proof of compilation
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-20 10:19 UTC] nlopess@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I don't have access to a 64-bit machine, so I need the backtrace to take a look.
 [2007-05-21 01:08 UTC] judas dot iscariote at gmail dot com 
PCRE crashes on match(), with either the bundled version or with latest 7.1. does not crash with 6.7.

this is reproducible in both 32 and 64 bit here, so you dont need a 64 bit machine to get a backtrace ;-)
 [2007-05-21 08:57 UTC] tony2001@php.net 
The stack overflow in PCRE library has been reported numerous times to us, please search the database before reporting. 
The only thing we can do about it - limit the recursion using new INI options. The problem itself has nothing to do with PHP and should be reported to PCRE developers (but I'm sure they are well aware about it).

Btw, I'm unable to reproduce it using PCRE 7.1 (though I don't believe there were any major updates to this issue, so this must be caused by my OS/system/build/etc.).
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 14:00:01 2025 UTC