PHP :: Bug #61920 :: "Segmentation fault" when \xfe is a part of mb_eregi

Bug #61920

"Segmentation fault" when \xfe is a part of mb_eregi_replace pattern

Submitted:

2012-05-03 08:33 UTC

Modified:

2016-07-30 11:32 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

wojak@php.net

Assigned:

cmb (profile)

Status:

Closed

Package:

mbstring related

PHP Version:

5.3.11

OS:

Linux Ubuntu 10.04.2 LTS

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wojak@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-05-03 08:33 UTC] wojak@php.net

Description:
------------
I get "Segmentation fault" when \xfe is a part of pattern argument in mb_eregi_replace() method.


Test script:
---------------
php -r 'mb_regex_encoding ("UTF-8");mb_internal_encoding("UTF-8");echo mb_eregi_replace ("[^\xfe]" , "?" , "\xfe ");'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-03 14:48 UTC] laruence@php.net

only for php5.3,  5.4 works fine.  bt is:

Core was generated by `php53 -r mb_regex_encoding ("UTF-
8");mb_internal_encoding("UTF-8");echo mb_ereg'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005f3273 in next_state_val (cc=0x2406d48, vs=0x7fff1e996960, v=0, 
vs_israw=0x7fff1e9969b8, v_israw=0, intype=CCV_SB, 
    type=0x7fff1e9969b4, state=0x7fff1e9969b0, env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:3973
3973	      BITSET_SET_BIT(cc->bs, (int )(*vs));
(gdb) bt
#0  0x00000000005f3273 in next_state_val (cc=0x2406d48, vs=0x7fff1e996960, v=0, 
vs_israw=0x7fff1e9969b8, v_israw=0, intype=CCV_SB, 
    type=0x7fff1e9969b4, state=0x7fff1e9969b0, env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:3973
#1  0x00000000005f3f26 in parse_char_class (np=0x7fff1e996b48, 
tok=0x7fff1e996bf0, src=0x7fff1e996c70, end=0x2516b24 "", env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:4342
#2  0x00000000005f58ff in parse_exp (np=0x7fff1e996b48, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5019
#3  0x00000000005f609f in parse_branch (top=0x7fff1e996ba8, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5171
#4  0x00000000005f620a in parse_subexp (top=0x7fff1e996d98, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5208
#5  0x00000000005f6391 in parse_regexp (top=0x7fff1e996d98, src=0x7fff1e996c70, 
end=0x2516b24 "", env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5252
#6  0x00000000005f6464 in onig_parse_make_tree (root=0x7fff1e996d98, 
pattern=0x2516b20 "[^\376]", end=0x2516b24 "", reg=0x24f9450, 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5279
#7  0x00000000005de803 in onig_compile (reg=0x24f9450, pattern=0x2516b20 "
[^\376]", pattern_end=0x2516b24 "", einfo=0x7fff1e996e60)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/oniguruma/regcomp.c:5168
#8  0x00000000005deed5 in onig_new (reg=0x7fff1e996e78, pattern=0x2516b20 "
[^\376]", pattern_end=0x2516b24 "", option=13, enc=0x112a280, 
    syntax=0x1129dc0, einfo=0x7fff1e996e60) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regcomp.c:5399
#9  0x00000000006280e0 in php_mbregex_compile_pattern (pattern=0x2516b20 "
[^\376]", patlen=4, options=13, enc=0x112a280, syntax=0x1129dc0)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/php_mbregex.c:458
#10 0x00000000006291f1 in _php_mb_regex_ereg_replace_exec (ht=3, 
return_value=0x2518c28, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=1, options=13) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/php_mbregex.c:857
#11 0x000000000062a384 in zif_mb_eregi_replace (ht=3, return_value=0x2518c28, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/php_mbregex.c:980
#12 0x00000000008b1a97 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fe8cadd2090)
    at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:320
#13 0x00000000008b5fa0 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x7fe8cadd2090)
    at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:1640
#14 0x00000000008b0f70 in execute (op_array=0x2518970) at 
/home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:107
#15 0x000000000086e5f1 in zend_eval_stringl (

[2012-05-04 22:56 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi

[2012-05-05 12:58 UTC] Reeze dot xia at gmail dot com

This is the bug of bundled oniguruma in 5.3
5.4 upgrade it but 5.3 didn't. 

Upgrade the bundled oniguruma can fix the bug.

[2012-06-05 11:53 UTC] frithjof at digital-poets dot net

Also reproduced on ubuntu 12.04 
PHP 5.3.10-1ubuntu3.1 with Suhosin-Patch (cli) (built: May  4 2012 02:20:36) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
    with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

[2016-07-30 11:31 UTC] cmb@php.net

-Status: Assigned +Status: Closed -Assigned To: moriyoshi +Assigned To: cmb

[2016-07-30 11:31 UTC] cmb@php.net

Indeed, this issue has been fixed at least as of oniguruma 5.9.2,
which is bundled as of PHP 5.0.0, see <https://3v4l.org/bUMi2>.
(The missing warning is due to the new pre-validation[1].)

[1] <https://github.com/php/php-src/commit/eb3e7f7>

[2016-07-30 11:32 UTC] cmb@php.net

> which is bundled as of PHP 5.0.0

"which is bundled as of PHP 5.5.0", of course

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC