PHP :: Bug #53953 :: preg_replace overflow segfault

Bug #53953	preg_replace overflow segfault
Submitted:	2011-02-07 23:15 UTC	Modified:	2011-02-08 04:01 UTC
From:	msn at searchy dot nl	Assigned:
Status:	Duplicate	Package:	PCRE related
PHP Version:	5.3.5	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	msn at searchy dot nl
New email:
PHP Version:		OS:

New Comment:

[2011-02-07 23:15 UTC] msn at searchy dot nl

Description:
------------
When preg_replace'ing a pattern which occurs a lot in a subject, php will SIGSEGV. With the test script php fails at Iteration 2236. It seems only to occur with a pattern like '(x)+'. Where X can be anything.

FreeBSD (8.1) has no issues with the test script. 

I found a relevant bug: http://bugs.php.net/bug.php?id=36507 , but I find it akward the internal pcre library still has the bug.

Test script:
---------------
<?php
$string = "";
$newstring = "";
for ($i=0;$i<10240;$i++) {
	echo "Iteration $i\n";
	$string .= 'x';
	$newstring = $string;
	$newstring = preg_replace("/(x)+/","",$newstring);
	echo "$string - $newstring \n";
}
?>


Expected result:
----------------
Run to inifity and beyond as long as the loop loops.

Actual result:
--------------
A snippet of the backtrace:
#0  match (eptr=0x8b61e49 "", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4474) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:627
#1  0x080c8469 in match (eptr=0x8b61e49 "", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4473)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623
#2  0x080c6793 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4472)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803
#3  0x080c8469 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4471)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623

--snip--
#4473 0x080c8469 in match (eptr=0x8b6158d 'x' <repeats 200 times>..., ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=1)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623
#4474 0x080c6793 in match (eptr=0x8b6158c 'x' <repeats 200 times>..., ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=2, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=0)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803
#4475 0x080d8dbe in php_pcre_exec (argument_re=0x8b8ae88, extra_data=0xbfde5f64, subject=0x8b6158c 'x' <repeats 200 times>..., length=2237, start_offset=0, options=0, offsets=0x8b5b48c, offsetcount=6)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:6064
#4476 0x080def1d in php_pcre_replace_impl (pce=0x8bcb0a8, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, replace_count=0xbfde6144)
    at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1052
#4477 0x080ded1d in php_pcre_replace (regex=0x8b5f028 "/(x)+/", regex_len=6, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, 
    replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:962
#4478 0x080dfa5c in php_replace_in_subject (regex=0x8b5f104, replace=0x8b5ef54, subject=0x8b8b16c, result_len=0xbfde6158, limit=-1, is_callable_replace=0, replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1279
#4479 0x080e0447 in preg_replace_impl (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, is_callable_replace=0, is_filter=0) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1377
#4480 0x080e052d in zif_preg_replace (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1397
#4481 0x084afafb in zend_do_fcall_common_helper_SPEC (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:316
#4482 0x084b4537 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:1606
#4483 0x084aef98 in execute (op_array=0x8b5e2c8) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:107
#4484 0x08487c63 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/compile/php-5.3.5/Zend/zend.c:1194
#4485 0x084272f3 in php_execute_script (primary_file=0xbfde86d4) at /root/compile/php-5.3.5/main/main.c:2265
#4486 0x08547ba6 in main (argc=2, argv=0xbfde8834) at /root/compile/php-5.3.5/sapi/cli/php_cli.c:1193

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-02-08 04:01 UTC] aharvey@php.net

-Status: Open +Status: Duplicate

[2011-02-08 04:01 UTC] aharvey@php.net

Duplicate of many bugs, including bug #52818.

For what it's worth, I actually agree with you that this shouldn't
crash, but this continues to be expected behaviour by most PHP
developers.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC