php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52368 crash in preg_replace_impl
Submitted: 2010-07-17 23:48 UTC Modified: 2013-02-18 00:34 UTC
From: cobexer at gmail dot com Assigned:
Status: No Feedback Package: PCRE related
PHP Version: 5.2.13 OS: Debian Lenny (5.0.5)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cobexer at gmail dot com
New email:
PHP Version: OS:

 

 [2010-07-17 23:48 UTC] cobexer at gmail dot com
Description:
------------
the crash occuring is most likely related to very high integer/double values(>10M) being inserted in a long string(~20K).
the problem does not occur on PHP5.3.something so it might be a simple backport :). unless somebody can tell me how i get more information out of the crashing process this is all i have (trying to print local variables of the crashing function results in:

(gdb) p **regex
Cannot access memory at address 0x686f72393438343e
os similar

the regular expression involved is most likely:
'/\{([A-Z0-9_]*)(?:\|(?P<escaper>[A-Z0-9_]+))?\}/'
executed by preg_replace_callback, where the callback is an array('class_name', 'some_private_function')

if required i try to build a small test script and attach that - but i guess its not required.


probably related to http://bugs.php.net/bug.php?id=39016

reproducible: always


Test script:
---------------
<?php
//no test script currently available
?>

Expected result:
----------------
no php crash correctly replaced string

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f877c078750 (LWP 6259)]
preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, is_callable_replace=0 '\0')
    at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
warning: Source file is more recent than executable.
32		if (zvalue->type <= IS_BOOL) {
(gdb) bt
#0  preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, 
    is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
#1  0x00007f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200
#2  0x00007f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#3  0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff5760) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#4  0x00007f8774cd8134 in execute (op_array=0xef48b0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#5  0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff5e70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#6  0x00007f8774cd8134 in execute (op_array=0xf03780) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#7  0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff6330) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#8  0x00007f8774cd8134 in execute (op_array=0xf02c90) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#9  0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff9ac0) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#10 0x00007f8774cd8134 in execute (op_array=0xa2aa70) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#11 0x00007f8774cb41c8 in zend_execute_scripts (type=32767, retval=0x0, file_count=-25624) at /usr/src/php5/source/php5-5.2.13/Zend/zend.c:1215
#12 0x00007f8774c6e0ea in php_execute_script (primary_file=Cannot access memory at address 0x8000ffff8b50
) at /usr/src/php5/source/php5-5.2.13/main/main.c:2058
#13 0x00007f8774d2aa73 in php_handler (r=0x7f877423690a) at /usr/src/php5/source/php5-5.2.13/sapi/apache2handler/sapi_apache2.c:643
#14 0x0000000000438f73 in ap_run_handler (r=0xecc9a8) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:159
#15 0x000000000043c53f in ap_invoke_handler (r=0xecc9a8) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:373
#16 0x000000000044970e in ap_process_request (r=0xecc9a8)
    at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_request.c:258
#17 0x0000000000446838 in ap_process_http_connection (c=0xdfec88)
    at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_core.c:190
#18 0x0000000000440493 in ap_run_process_connection (c=0xdfec88) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/connection.c:43
#19 0x000000000044dd10 in child_main (child_num_arg=<value optimized out>)
    at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:680
#20 0x000000000044e064 in make_child (s=0x675968, slot=1)
    at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:777
#21 0x000000000044e60c in ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized out>, s=0x675968)
    at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:795
#22 0x0000000000425be5 in main (argc=3, argv=0x7fffffffc558) at /build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/main.c:732
(gdb) bt full
#0  preg_replace_impl (ht=5, return_value=0x12a8a90, return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c, return_value_used=0, 
    is_callable_replace=0 '\0') at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
	regex = (zval **) 0xa155b0
	replace = (zval **) 0xa155b8
	subject = (zval **) 0xa155c0
	limit = (zval **) 0x7f8774cd1a4d
	subject_entry = (zval **) 0xa155c8
	zcount = (zval **) 0x7f8774d1b868
	result = 0x12a8a08 "�\220*\001"
	result_len = 0
	limit_val = -1
	string_key = 0x10 <Address 0x10 out of bounds>
	num_key = 19345208
	callback_name = 0xef2b88 "pE9\001"
	replace_count = 10573224
	replace_count_ptr = (int *) 0x7fffffff4cd0
#1  0x00007f8774cef3cd in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffffff5410) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200
	return_reference = 1 '\001'
	opline = (zend_op *) 0x8
	original_return_value = (zval **) 0x80a370
	current_scope = (zend_class_entry *) 0xf04fe8
	current_this = (zval *) 0x0
	return_value_used = 0
	should_change_scope = 41 ')'
#2  0x00007f8774cd8134 in execute (op_array=0xf02040) at /usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
	execute_data = Cannot access memory at address 0x8000ffff5410
(gdb) 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-18 19:39 UTC] felipe@php.net
-Status: Open +Status: Feedback
 [2010-07-18 19:39 UTC] felipe@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2010-07-30 21:24 UTC] cobexer at gmail dot com
hmm that crash is hard to nail down,
it doesn't crash on all of my computers, therefore i did the following:
 * created crashing test script (currently ~150 Lines)
 * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a bit newer than 11.3)
 * created a core dump
 * tar'gz ed it together
 and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz
important contents:
 scrash.php : the php script with the code to crash (run with php -e)
 scrash.php.log : the output of the script till it crashed
 php-bt.txt : output of "bt" and "bt full"
 core : the coredump itself

maybe that helps already,
regards cobexer
 [2010-08-09 03:19 UTC] felipe@php.net
Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2010-08-12 21:19 UTC] cobexer at gmail dot com
I did a quick test today
using http://snaps.php.net/php5.3-latest.tar.gz (from yesterday) does not crash(as expected since the problem didn't exist there anyway).
however using http://snaps.php.net/php5.2-latest.tar.gz (from yesterday) still crashes on the same line as before.
(tested on i586 openSuSE 11.4(Factory))

regards cobexer
 [2010-08-30 21:05 UTC] cobexer at gmail dot com
i found a workaround for the crash:
as soon as i removed the $count parameter(and the $limit) tha crash was gone =)

mixed preg_replace_callback  ( mixed $pattern  , callback $callback  , mixed $subject  [, int $limit = -1  [, int &$count  ]] )

regards cobexer
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 17:01:58 2024 UTC