PHP :: Bug #51238 :: Segfault with preg

Bug #51238	Segfault with preg_replace
Submitted:	2010-03-08 18:01 UTC	Modified:	2010-03-09 00:53 UTC
From:	odoucet@php.net	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	5.3.2	OS:	all
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	odoucet@php.net
New email:
PHP Version:		OS:

New Comment:

[2010-03-08 18:01 UTC] odoucet@php.net

Description:
------------
You can make a segfault with a particular regexp (that appears to be used in Mysqli, or in Zend Framework at least).

This bug appears on : 
PHP 5.3.2
PHP 5.2.10
PHP 4

with internal pcrelib of course.


NOTE:
I cannot reproduce this bug everytime. Once in a while, the segfault is not triggered (weird ...).

NOTE 2:
Same bug (segfault) with preg_match or preg_match_all


Test script:
---------------
<?php

preg_replace("/'(\\\\'|\\\\{2}|[^'])*'/", 
   '', 
   "'".str_repeat("a", 50000)
);

// Note : the bug can be triggered with str_repeat('a', 5000) also.
// Longer the string is, more chance you have to trigger the segfault


Expected result:
----------------
working code :)

Actual result:
--------------
Segmentation fault


match (eptr=0xb750b3b7 'a' <repeats 200 times>..., ecode=0x8dcd78e "_", mstart=0xb7508c64 "'", 'a' <repeats 199 times>..., offset_top=4,
    md=0xbfdced54, ims=0, eptrb=0x0, flags=0, rdepth=20133) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:454
454     {

#0  match (eptr=0xb750b3b7 'a' <repeats 200 times>..., ecode=0x8dcd78e "_", mstart=0xb7508c64 "'", 'a' <repeats 199 times>..., offset_top=4,
    md=0xbfdced54, ims=0, eptrb=0x0, flags=0, rdepth=20133) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:454
#1  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#2  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#3  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#4  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#5  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#6  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734


[ ... snip because backtrace shows what appears to be a loop ... ]

#20131 0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#20132 0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#20133 0x080e7df8 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1395
#20134 0x080f235a in php_pcre_exec (argument_re=0x8dcd760, extra_data=0xbfdceef4, subject=0xb7508c64 "'", 'a' <repeats 199 times>...,
    length=50001, start_offset=0, options=Variable "options" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:5641
#20135 0x080f62a9 in php_pcre_replace_impl (pce=0x8dcd8f8, subject=0xb7508c64 "'", 'a' <repeats 199 times>..., subject_len=50001,
    replace_val=0xb74fad54, is_callable_replace=0, result_len=0xbfdcf088, limit=-1, replace_count=0xbfdcf074)
    at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1040

#20136 0x080f6fc5 in php_pcre_replace (regex=0xb74fb284 "/'(\\\\'|\\\\{2}|[^'])*'/", regex_len=21,
    subject=0xb7508c64 "'", 'a' <repeats 199 times>..., subject_len=50001, replace_val=0xb74fad54, is_callable_replace=0, result_len=0xbfdcf088,
    limit=-1, replace_count=0xbfdcf074) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:950
#20137 0x080f7542 in php_replace_in_subject (regex=0xb74fad70, replace=Variable "replace" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1267
#20138 0x080f7bb6 in preg_replace_impl (ht=Variable "ht" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1365




#20139 0x084b3c81 in zend_do_fcall_common_helper_SPEC (execute_data=0xb7470028) at zend_vm_execute.h:313
#20140 0x084acf86 in execute (op_array=0xb74fb1ec) at zend_vm_execute.h:104
#20141 0x08484fe6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/php-5.3.2/Zend/zend.c:1194
#20142 0x0842c036 in php_execute_script (primary_file=0xbfdd16f4) at /usr/src/php/php-5.3.2/main/main.c:2260
#20143 0x085157e8 in main (argc=2, argv=0xbfdd1854) at /usr/src/php/php-5.3.2/sapi/cli/php_cli.c:1192

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-03-09 00:53 UTC] felipe@php.net

-Status: Open +Status: Bogus

[2010-03-09 00:53 UTC] felipe@php.net

This is due a known PCRE issue.
http://man.he.net/man3/pcrestack

Not a PHP bug. Thanks.

[2010-04-27 15:15 UTC] ap at jusmeum dot de

We have a similar segfault from time to time when using the PCRE functions. I tried setting ulimit -s to insanely high values with no effect on the frequency of the bug and it just happens with PHP 5.3.2 and no older versions. Anything else I can try?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 10 13:01:26 2025 UTC