PHP :: Bug #52818 :: PCRE segfault

Bug #52818

PCRE segfault

Submitted:

2010-09-12 00:48 UTC

Modified:

2010-09-14 17:45 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (100.0%)

From:

svimik at mail dot ru

Assigned:

Status:

Not a bug

Package:

Reproducible crash

PHP Version:

5.3.3

OS:

Debian-50-lenny-64

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	svimik at mail dot ru
New email:
PHP Version:		OS:

New Comment:

[2010-09-12 00:48 UTC] svimik at mail dot ru

Description:
------------
My phpinfo:
http://188.40.74.4/_phpinfo.php

My hardware configuration:
http://www.hetzner.de/en/hosting/produkte_rootserver/eq4/

Test condition:
Run the script below in console (via SSH in my case).

Result:
Segmentation fault

Note: the regular expression may look senseless, because it was shortened to the minimun length for reproducing the bug.

Bug is reproducible on php 5.2.6, 5.2.9, 5.2.12 and 5.3.2. (Sorry, can't test on the latest version, waiting for someone to confirm the bug on 5.3.3).
Sorry, can't make a backtrace on a production server, because it is necessary to recompile the php.

In Windows this script works well.

Test script:
---------------
$str="<script>".str_repeat(".", 7000); //at least 6378 bytes (or more)
$str=preg_replace("/<script>((?!qqqq).)*/", "", $str);

Expected result:
----------------
Not a Segmentation fault :)

Actual result:
--------------
Debian-50-lenny-64-LAMP:/home/httpd# php -f segf.php
Segmentation fault
Debian-50-lenny-64-LAMP:/home/httpd#

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-09-12 00:57 UTC] svimik at mail dot ru

Tested versions:
------------------------
PHP 5.3.2-2 with Suhosin-Patch (cli) (built: Jul 19 2010 01:22:58)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with XCache v1.3.0, Copyright (c) 2005-2009, by mOo

PHP 5.2.12-2 with Suhosin-Patch 0.9.7 (cli) (built: Jan 11 2010 16:51:28)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    with XCache v1.3.0, Copyright (c) 2005-2009, by mOo

PHP 5.2.9 (cli) (built: Mar 31 2009 23:21:47)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

PHP 5.2.6-1+lenny8 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 14 2010 08:14:04)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies

[2010-09-12 02:35 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2010-09-12 02:35 UTC] pajoye@php.net

What's your pcre recursion limit setting? Also it looks like a stack issue to me.

In any case, please provide a backtrace, without any patch or random extension (suhoshin or whatever else).

[2010-09-12 11:35 UTC] svimik at mail dot ru

-Status: Feedback +Status: Open

[2010-09-12 11:35 UTC] svimik at mail dot ru

Thanks to pajoye, the problem was solved by reducing recursion limit.
pcre.recursion_limit was default value (100000), and only reducing to 10000 solved the problem.

The only question is: is default value of pcre.recursion_limit too high? And should it work?

[2010-09-14 13:09 UTC] aharvey@php.net

-Status: Open +Status: Bogus

[2010-09-14 13:09 UTC] aharvey@php.net

I can replicate this on a stock trunk build, and it is (as usual) a simple stack overflow.

Closing.

[2010-09-14 16:27 UTC] svimik at mail dot ru

Why stack overflow is not a bug?

[2010-09-14 17:06 UTC] pajoye@php.net

Because it depends on your apache builds and configurations.

You can increase both using php.ini and with some tools on unix (don't remember which, but there is other reports about how to do it here). In any case, that's not something we can fix.

[2010-09-14 17:32 UTC] svimik at mail dot ru

>Because it depends on your apache builds
As I said, I'm NOT using Apache, I run this script directly in console, by "php -f file.php" command.

>In any case, that's not something we can fix.
Why is not possible to catch this error?

[2010-09-14 17:45 UTC] pajoye@php.net

It does not matter if you use apache or not, same cause, same solution. I mentioned apache as an example.

[2013-06-08 17:22 UTC] eugenia at linux dot com

change the pcre.recursion_limit directive prevents a stack overflow but not 
correct the problem with preg_match.

After the change, the preg_match function not find a coincidence in the same 
context (maybe because it stops the recursion) but finds a coincidence in a 
reduced context.

So, why do you think is not a bug? Give me an exact explanation, tell me how I 
can solving this problem and I will tell you that it's not a bug. But now, is a 
bug.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 23:01:26 2024 UTC