php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74588 Infinite recursion within get_min_match_length() leads to SEGV
Submitted: 2017-05-14 06:28 UTC Modified: 2017-06-06 02:32 UTC
Votes:2
Avg. Score:2.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: xixabangm4 at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.1.5 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: xixabangm4 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-05-14 06:28 UTC] xixabangm4 at gmail dot com 
Description:
------------
Version tested: PHP-5.6.30 on x86_6; PHP-7.1.5 / x86 likely affected too.

Build bin/php with -fsanitize=address, --enable-mbstring



Test script:
---------------
$ cat get_min_match_len/recurse.php 
<?php

if (!extension_loaded('mbstring')) print "mbstring not loaded.\n";
if (!function_exists('mb_ereg_replace')) print "mb_ereg_replace() is not available\n";

echo "*** Testing mb_ereg_replace() ***\n";

echo mb_ereg_replace("(\\2)(\\1)", "1", "a");

?>



Expected result:
----------------
No crash

Actual result:
--------------
$ php get_min_match_len/recurse.php

*** Testing mb_ereg_replace() ***
ASAN:SIGSEGV
=================================================================
==11343==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec8781ff8 (pc 0x0000008d5ed6 bp 0x7ffec8782000 sp 0x7ffec8782000 T0)
    #0 0x8d5ed5 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2025
    #1 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #2 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #3 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #4 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #5 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #6 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #7 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #8 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    <..240 lines cut..>
    #249 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #250 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #251 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122

SUMMARY: AddressSanitizer: stack-overflow /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2025 get_min_match_length
==11343==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-14 19:12 UTC] andrew dot nester dot dev at gmail dot com 
I guess issue relates to bundled library `oniguruma` library which is used for regexp things. 
https://github.com/kkos/oniguruma
 [2017-05-19 00:33 UTC] ryan dot jentzsch at gmail dot com 
I can confirm this is a bug in 7.1.5 - Segfaults
Appears to be solved in PHP 7.2.0-dev (cli) (built: May 18 2017 18:27:41) ( ZTS )
 [2017-06-06 02:32 UTC] xixabangm4 at gmail dot com
-: l dot wei at ntu dot edu dot sg +: xixabangm4 at gmail dot com -Status: Open +Status: Closed
 [2017-06-06 02:32 UTC] xixabangm4 at gmail dot com 
Issue closed as resolved.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Nov 03 16:00:02 2025 UTC