php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72143 preg_replace uses int instead of size_t on zend_string_allocs
Submitted: 2016-05-03 12:53 UTC Modified: 2016-05-14 07:22 UTC
From: burmartke at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.6 OS: Ubuntu 16.04 LTS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: burmartke at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-03 12:53 UTC] burmartke at gmail dot com
Description:
------------
preg_replace() declares its alloc_len as an int, and zend_string_(re)alloc() expects a size_t, so when it tries to allocate a string >= 0x40000000 it gets sign-extended and the alloc fails.

Test script:
---------------
<?php

error_log( "++++++++++++++++++++++++++begin " );

$str = str_repeat( 'a', 0x40000000 ) . 'b';

$len = strlen( $str );
error_log( "len=$len (0x" . dechex( $len ) . ")" . ", 18446744071562068000 (0x" . dechex( 18446744071562068000 ) . ")" );

$out = preg_replace( '/b/', '', $str );

error_log( "++++++++++++++++++++++++++end " );


Expected result:
----------------
A successful replace.

++++++++++++++++++++++++++begin
len=1073741825 (0x40000001), 18446744071562068000 (0xffffffff80000000)
++++++++++++++++++++++++++end 


Actual result:
--------------
Either a PHP Fatal error:  Out of memory (allocated 1075843072) (tried to allocate 18446744071562068000 bytes) or a segmentation fault.

Patches

pcre_preg_replace_alloc_int_to_size_t.patch (last revision 2016-05-03 12:53 UTC by burmartke at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-14 07:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90f46f2c5bdd3ab0e5dbc3aec1b3294ea1981abe
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-14 07:21 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 [2016-05-14 07:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-14 07:22 UTC] krakjoe@php.net
-Assigned To: +Assigned To: krakjoe
 [2016-05-14 07:22 UTC] krakjoe@php.net
Thanks. 

I didn't add a test, this is an obvious programming error, and it's unreasonable to create tests that allocate that much memory, I think.
 [2016-05-16 03:22 UTC] laruence@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-16 03:25 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9e7afa75140afd047cb95280a610cff9368a7517
Log: Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;
 [2016-05-16 13:23 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b3a4c6101abeef297bfb415493e96bbeda3d110
Log: Revert &quot;Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b3a4c6101abeef297bfb415493e96bbeda3d110
Log: Revert &quot;Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9e7afa75140afd047cb95280a610cff9368a7517
Log: Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90f46f2c5bdd3ab0e5dbc3aec1b3294ea1981abe
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC