php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14304 Potential problem with regex...
Submitted: 2001-11-30 13:40 UTC Modified: 2002-01-02 14:05 UTC
From: bajolet at toiletoine dot net Assigned:
Status: Closed Package: Regexps related
PHP Version: 4.0.6 OS: Linux php3-2 2.4.7 #1 Thu Aug 9
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bajolet at toiletoine dot net
New email:
PHP Version: OS:

 

 [2001-11-30 13:40 UTC] bajolet at toiletoine dot net
Summary :
A function works well on php 4.0.5 and enters an infinite loop on php 4.0.6.

Function entering in infinite loop :
The purpose of this function is to parse a template containing some tags, line by line, and replace them by values contained in the $t_strings array.

The input can be :
<td bgcolor="#FFCC00" colspan="2"><phpdig:previous_link src='./tpl_img/left.gif'/><phpdig:pages_bar/><phpdig:next_link src='./tpl_img/right.gif'/></td>

i think the str_replace() function don't replace anything ; the while statment stays always true, etc...

function  parse_phpdig_tags($line,$t_strings)
{
while(eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>',$line,$regs))
                 {
                 //links with images
                 if ($regs[2])
                     {
                     if ($regs[3] && $t_strings[$regs[1]])
                         {
                         if (ereg('^http',$t_strings[$regs[1]]))
                             $target = ' target="_blank"';
                         else
                             $target = '';

                         $replacement = '<A href="'.$t_strings[$regs[1]].'"'.$target.'><img src="'.$regs[3].'" border="0" align="bottom"></a>';
                         }
                     else
                         {
                         $replacement = '';
                         }
                     $line = str_replace($regs[0],$replacement,$line);
                     }
                 else
                     {
                     $line = str_replace($regs[0],$t_strings[$regs[1]],$line);
                     }
                 }

           return $line;
}

Configuration not working (php 4.0.6) :
 '../configure' '--prefix=/usr' '--prefix=/usr' '--with-regex=system' '--enable-force-cgi-redirect' '--with-config-file-path=/etc/php4/cgi' '--disable-rpath' '--disable-pear' '--enable-memory-limit' '--enable-calendar' '--enable-bcmath' '--with-bz2' '--enable-ctype' '--with-db2' '--with-ndbm' '--enable-exif' '--enable-filepro' '--with-gettext' '--enable-track-vars' '--enable-trans-sid' '--disable-debug' '--disable-static' '--with-mm' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--with-xml=/usr' '--with-expat-dir=/usr' '--with-zlib' '--enable-email' '--disable-posix' '--without-mysql' '--without-sybase-ct'

Configuration working (php 4.0.5) :
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-pgsql=/usr/local/pgsql' '--with-ldap' '--with-openssl' '--with-domxml' '--with-bcmath' '--enable-track-vars' '--with-gd=../gd-1.8.4' '--enable-freetype-4bit-antialias-hack' '--with-mysql' '--with-jpeg-dir=../jpeg-6b' '--with-png-dir=../libpng-1.0.12' '--with-freetype-dir=../freetype-2.0.4' '--with-zlib-dir=../zlib' '--with-sablot=SHARED' '--enable-bcmath' '--enable-ftp' '--enable-sockets' '--enable-magic-quotes' '--enable-versioning'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-30 13:45 UTC] bajolet at toiletoine dot net
Sorry, i forgot :
All the application in dowloadable at : http://phpdig.toiletoine.net/phpdig_1_4_3.zip
 [2001-12-01 23:43 UTC] zak@php.net
Please reduce this to a simpler test case. If there is a 
bug in str_replace, then it should be reproduceable with a 
simple one line test. Logging how the str_replace 
functions are called should let you find the culprit.

A line like this after the function calls are made should 
do the trick.
error_log ("$line = 
str_replace({$regs[0]},$replacement,$line);\n", 3, 
'./str_rep_log');

Good Luck!

 [2001-12-09 08:00 UTC] bajolet at toiletoine dot net
I isolate the bug :
this works :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_message/></i></td>',$regs);

this doesn't (php loops) :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_common_message/></i></td>',$regs);

 [2001-12-09 08:08 UTC] bajolet at toiletoine dot net
Changed bug type to Regexps
 [2001-12-11 17:39 UTC] zak@php.net
Thanks for the additional information.

I tested the code snippets provided on PHP 4.1.0 - they 
all seem to operate as expected. The input of both 
snippets (when fed to your original function) returns 
'<br><i></i></td>'

The regular expressions provided later seem to work as 
well.

The top snippet captures:

array(10) {
  [0]=>
  string(24) "<phpdig:ignore_message/>"
  [1]=>
  string(14) "ignore_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

...and the bottom snippet captures:

array(10) {
  [0]=>
  string(31) "<phpdig:ignore_common_message/>"
  [1]=>
  string(21) "ignore_common_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

Is this the output that you get with PHP 4.0.6? Please let 
me know!



 [2001-12-12 01:31 UTC] bajolet at toiletoine dot net
The problem is there...
I got the first result :

>array(10) {
>  [0]=>
>  string(24) "<phpdig:ignore_message/>"
>  [1]=>
>  string(14) "ignore_message"
>  [2]=>
>  ...

But on the second, i got nothing but a 'maximum execution time exceeded'.
I traced my code with some echoes and flush(), and it seems that the php engine stays on the eregi() function.
It not core dump, but Apache goes 100% CPU until the timeout occurs.
 [2001-12-12 01:41 UTC] zak@php.net
I cannot reproduce the problem under PHP 4.1.0. Can you 
upgrade to this version?

 [2002-01-02 14:05 UTC] lobbin@php.net
No feedback. Closing.
 [2002-07-10 13:42 UTC] estelle at megaphone dot ch
Solaris 8, Apache 1.3.26, PHP 4.1.2 : ereg function causes a 100% CPU of the httpd process and then dies with a "maximum time exceeded".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 08:01:27 2024 UTC