PHP :: Bug #63829 :: Apache stack overflow on PCRE subpatterns

Bug #63829	Apache stack overflow on PCRE subpatterns
Submitted:	2012-12-21 16:18 UTC	Modified:	2014-12-19 15:27 UTC
From:	ab@php.net	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	Irrelevant	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ab@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-12-21 16:18 UTC] ab@php.net

Description:
------------
Running the test ext/pcre/tests/bug47662.phpt under Apache 2.2 or 2.4 causes the CRT error with the following message:

Unhandled exception at 0x01E3FC19 (php5ts_debug.dll) in httpd.exe: 0xC00000FD: Stack overflow (parameters: 0x00000001, 0x03CE2948).

This error seems to have been existed for a very long time. It happens not only with the pcre ext lately upgraded to 8.31, but also with previous version using PCRE 8.12 . It also happens in both release and debug builds. Here is the backtrace delivered by VS

........................... a lot of match(...) calls .....................
 	php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char * ecode, const unsigned char * mstart, int offset_top, match_data * md, eptrblock * eptrb, unsigned int rdepth) Line 956	C
 	php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char * ecode, const unsigned char * mstart, int offset_top, match_data * md, eptrblock * eptrb, unsigned int rdepth) Line 956	C
 	php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char * ecode, const unsigned char * mstart, int offset_top, match_data * md, eptrblock * eptrb, unsigned int rdepth) Line 956	C
 	php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char * ecode, const unsigned char * mstart, int offset_top, match_data * md, eptrblock * eptrb, unsigned int rdepth) Line 956	C
 	php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char * ecode, const unsigned char * mstart, int offset_top, match_data * md, eptrblock * eptrb, unsigned int rdepth) Line 956	C
 	php5ts_debug.dll!php_pcre_exec(const real_pcre * argument_re, const pcre_extra * extra_data, const char * subject, int length, int start_offset, int options, int * offsets, int offsetcount) Line 6917	C
 	php5ts_debug.dll!php_pcre_match_impl(pcre_cache_entry * pce, char * subject, int subject_len, _zval_struct * return_value, _zval_struct * subpats, int global, int use_flags, long flags, long start_offset, void * * * tsrm_ls) Line 653	C
 	php5ts_debug.dll!php_do_pcre_match(int ht, _zval_struct * return_value, _zval_struct * * return_value_ptr, _zval_struct * this_ptr, int return_value_used, void * * * tsrm_ls, int global) Line 547	C
 	php5ts_debug.dll!zif_preg_match(int ht, _zval_struct * return_value, _zval_struct * * return_value_ptr, _zval_struct * this_ptr, int return_value_used, void * * * tsrm_ls) Line 798	C
 	php5ts_debug.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 642	C
 	php5ts_debug.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data, void * * * tsrm_ls) Line 2236	C
 	php5ts_debug.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls) Line 410	C
 	php5ts_debug.dll!zend_execute_scripts(int type, void * * * tsrm_ls, _zval_struct * * retval, int file_count, ...) Line 1309	C
 	php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file, void * * * tsrm_ls) Line 2482	C
 	php5apache2_2.dll!php_handler(request_rec * r) Line 667	C


Test script:
---------------
$regex = '@';
for($bar=0; $bar<4027; $bar++) {
        $regex .= '((?P<x' . $bar . '>))';
}
$regex .= 'fo+bar@';

var_dump(preg_match($regex, 'foobar', $m));

Expected result:
----------------
int(1)

Actual result:
--------------
An exception is thrown.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-12-21 16:28 UTC] ab@php.net

It seems to me more like strictly related apache+pcre under windows issue, as i read here http://lxr.php.net/xref/PHP_5_4/ext/pcre/pcrelib/pcre_exec.c#232 . CLI isn't affected by this. After defining

#define NO_RECURSE 1

in pcrelib/config.h the issue disappears. The phpt tests pass. I'm not sure whether this would cause a big performance penalty, this should be tested.

[2012-12-22 01:15 UTC] felipe@php.net

-Status: Open +Status: Not a bug

[2012-12-22 01:15 UTC] felipe@php.net

This has been already discussed: http://marc.info/?l=php-internals&m=121811425119001

[2012-12-24 10:34 UTC] ab@php.net

editbin /stack:16777216 httpd.exe

This sets the process stack size to 16mb and the code snippet pass then.

[2012-12-24 10:34 UTC] ab@php.net

Thanks Felipe :)

[2012-12-24 11:21 UTC] felipe@php.net

Related To: Bug #63846

[2014-12-19 12:23 UTC] ab@php.net

Related To: Bug #68628

[2014-12-19 14:44 UTC] roman dot paska at gmail dot com

I have found better solution for this issue (probably). 

This command "editbin /stack:16777216 httpd.exe" can be run from Visual Studio console only. So it has limited usage. 

Better approach described here: http://stackoverflow.com/questions/5058845/how-do-i-increase-the-stack-size-for-apache-running-under-windows-7

[2014-12-19 15:27 UTC] ab@php.net

Nice. The advantage of edit bin is that it's usable on any binary. But for Apache using the ThreadStackSize directive is outstanding as one doesn't need to touch binary.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC