php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47811 preg_match that can cause segmentation fault
Submitted: 2009-03-27 17:26 UTC Modified: 2009-04-14 20:56 UTC
Votes:13
Avg. Score:4.9 ± 0.3
Reproduced:12 of 12 (100.0%)
Same Version:9 (75.0%)
Same OS:3 (25.0%)
From: travis at wikihow dot com Assigned: nlopess (profile)
Status: Not a bug Package: Reproducible crash
PHP Version: 5.2.9 OS: CentOS release 4.4 & Mac OS 10.4
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: travis at wikihow dot com
New email:
PHP Version: OS:

 

 [2009-03-27 17:26 UTC] travis at wikihow dot com 
Description:
------------
Run a preg_match with source text attached and get a seg fault. Apache 2.2 / PHP 5.2.9 and PHP 5.2.4. 

preg_match('@<object(.|\n)*</object>@im', $text, $matches);




Reproduce code:
---------------
http://wikidiy.com/php_bug_crash.txt

Expected result:
----------------
Apache not supposed to crash, completes preg_match, dumps $matches array.

Actual result:
--------------
Apache seg faults

[Fri Mar 27 12:16:05 2009] [notice] child pid 6391 exit signal Segmentation fault (11)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-27 23:53 UTC] dennis dot birkholz at nexxes dot net 
I have a similar segfault testcase for preg_match. It always crashes at a stringlength of around 6700. PHP is 5.2.8 on gentoo linux.

# Create my test-string
for ($i=0; $i<20000; $i++) {
	$string .= 'a';
}

# The pattern matches for \\, \", everything except " and "
$pattern = '/^(\\\\|\\"|[^"]|")+$/';

print "Trying with string length " . "\033" . '[s';

for ($counter=6600; $counter<strlen($string); $counter++) {
	if (preg_match($pattern, substr($string,0,$counter), $matches)) {
		print "\033" . '[u' . $counter . '...';
		flush();
		
		list($dummy, $aa) = $matches;
	}
}
print "\n";
 [2009-03-30 11:24 UTC] scope at planetavent dot de 
Here's another snippet:

<?php

$s = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";

$pattern = "@(X)*@";

$return = preg_match( $pattern, $s );

echo $return;

?>

This one crashes apache 2.2.8 and 2.2.11 with php-5.2.9 and php-5.2.9-1 on windows 2003.
 [2009-03-30 12:22 UTC] pajoye@php.net 
Nuno, can you take a look please? Can reproduce it here too.
 [2009-04-02 12:27 UTC] Phil dot H at gmx dot net 
Another php preg_match crash using php 5.2.9-1 on Windows XP and 2003R2:

<?php
$string    = str_repeat('blub ', 100000);
$regexp = '/ \G (?P<text> (?:.(?!\[% ))*.(?=\[%| $))/isx';

if (preg_match($regexp, $string, $aMatches, PREG_OFFSET_CAPTURE, 0)) {
	echo "matched\n";
}
echo "finished";
?>
 [2009-04-02 12:39 UTC] felipe@php.net 
This stack overflow is expected. See the earlies bug reports.
 [2009-04-14 20:56 UTC] nlopess@php.net 
Felipe is right. This is not a bug, just the expected stack overflow. You can "fix" the problem by increasing the stack size.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon May 12 13:01:27 2025 UTC