PHP :: Bug #14304 :: Potential problem with regex...

Bug #14304	Potential problem with regex...
Submitted:	2001-11-30 13:40 UTC	Modified:	2002-01-02 14:05 UTC
From:	bajolet at toiletoine dot net	Assigned:
Status:	Closed	Package:	Regexps related
PHP Version:	4.0.6	OS:	Linux php3-2 2.4.7 #1 Thu Aug 9
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bajolet at toiletoine dot net
New email:
PHP Version:		OS:

New Comment:

[2001-11-30 13:40 UTC] bajolet at toiletoine dot net

Summary :
A function works well on php 4.0.5 and enters an infinite loop on php 4.0.6.

Function entering in infinite loop :
The purpose of this function is to parse a template containing some tags, line by line, and replace them by values contained in the $t_strings array.

The input can be :
<td bgcolor="#FFCC00" colspan="2"><phpdig:previous_link src='./tpl_img/left.gif'/><phpdig:pages_bar/><phpdig:next_link src='./tpl_img/right.gif'/></td>

i think the str_replace() function don't replace anything ; the while statment stays always true, etc...

function  parse_phpdig_tags($line,$t_strings)
{
while(eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>',$line,$regs))
                 {
                 //links with images
                 if ($regs[2])
                     {
                     if ($regs[3] && $t_strings[$regs[1]])
                         {
                         if (ereg('^http',$t_strings[$regs[1]]))
                             $target = ' target="_blank"';
                         else
                             $target = '';

                         $replacement = '<A href="'.$t_strings[$regs[1]].'"'.$target.'><img src="'.$regs[3].'" border="0" align="bottom"></a>';
                         }
                     else
                         {
                         $replacement = '';
                         }
                     $line = str_replace($regs[0],$replacement,$line);
                     }
                 else
                     {
                     $line = str_replace($regs[0],$t_strings[$regs[1]],$line);
                     }
                 }

           return $line;
}

Configuration not working (php 4.0.6) :
 '../configure' '--prefix=/usr' '--prefix=/usr' '--with-regex=system' '--enable-force-cgi-redirect' '--with-config-file-path=/etc/php4/cgi' '--disable-rpath' '--disable-pear' '--enable-memory-limit' '--enable-calendar' '--enable-bcmath' '--with-bz2' '--enable-ctype' '--with-db2' '--with-ndbm' '--enable-exif' '--enable-filepro' '--with-gettext' '--enable-track-vars' '--enable-trans-sid' '--disable-debug' '--disable-static' '--with-mm' '--with-pcre-regex=/usr' '--enable-shmop' '--enable-sockets' '--with-xml=/usr' '--with-expat-dir=/usr' '--with-zlib' '--enable-email' '--disable-posix' '--without-mysql' '--without-sybase-ct'

Configuration working (php 4.0.5) :
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-pgsql=/usr/local/pgsql' '--with-ldap' '--with-openssl' '--with-domxml' '--with-bcmath' '--enable-track-vars' '--with-gd=../gd-1.8.4' '--enable-freetype-4bit-antialias-hack' '--with-mysql' '--with-jpeg-dir=../jpeg-6b' '--with-png-dir=../libpng-1.0.12' '--with-freetype-dir=../freetype-2.0.4' '--with-zlib-dir=../zlib' '--with-sablot=SHARED' '--enable-bcmath' '--enable-ftp' '--enable-sockets' '--enable-magic-quotes' '--enable-versioning'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-11-30 13:45 UTC] bajolet at toiletoine dot net

Sorry, i forgot :
All the application in dowloadable at : http://phpdig.toiletoine.net/phpdig_1_4_3.zip

[2001-12-01 23:43 UTC] zak@php.net

Please reduce this to a simpler test case. If there is a 
bug in str_replace, then it should be reproduceable with a 
simple one line test. Logging how the str_replace 
functions are called should let you find the culprit.

A line like this after the function calls are made should 
do the trick.
error_log ("$line = 
str_replace({$regs[0]},$replacement,$line);\n", 3, 
'./str_rep_log');

Good Luck!

[2001-12-09 08:00 UTC] bajolet at toiletoine dot net

I isolate the bug :
this works :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_message/></i></td>',$regs);

this doesn't (php loops) :

eregi('<phpdig:([a-z0-9_]*)[[:blank:]]*(src=)*["\']*([a-z0-9./_-]+)*["\']*[[:blank:]]*/>','<br><i><phpdig:ignore_common_message/></i></td>',$regs);

[2001-12-09 08:08 UTC] bajolet at toiletoine dot net

Changed bug type to Regexps

[2001-12-11 17:39 UTC] zak@php.net

Thanks for the additional information.

I tested the code snippets provided on PHP 4.1.0 - they 
all seem to operate as expected. The input of both 
snippets (when fed to your original function) returns 
'<br><i></i></td>'

The regular expressions provided later seem to work as 
well.

The top snippet captures:

array(10) {
  [0]=>
  string(24) "<phpdig:ignore_message/>"
  [1]=>
  string(14) "ignore_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

...and the bottom snippet captures:

array(10) {
  [0]=>
  string(31) "<phpdig:ignore_common_message/>"
  [1]=>
  string(21) "ignore_common_message"
  [2]=>
  bool(false)
  [3]=>
  bool(false)
  [4]=>
  bool(false)
  [5]=>
  bool(false)
  [6]=>
  bool(false)
  [7]=>
  bool(false)
  [8]=>
  bool(false)
  [9]=>
  bool(false)
}

Is this the output that you get with PHP 4.0.6? Please let 
me know!

[2001-12-12 01:31 UTC] bajolet at toiletoine dot net

The problem is there...
I got the first result :

>array(10) {
>  [0]=>
>  string(24) "<phpdig:ignore_message/>"
>  [1]=>
>  string(14) "ignore_message"
>  [2]=>
>  ...

But on the second, i got nothing but a 'maximum execution time exceeded'.
I traced my code with some echoes and flush(), and it seems that the php engine stays on the eregi() function.
It not core dump, but Apache goes 100% CPU until the timeout occurs.

[2001-12-12 01:41 UTC] zak@php.net

I cannot reproduce the problem under PHP 4.1.0. Can you 
upgrade to this version?

[2002-01-02 14:05 UTC] lobbin@php.net

No feedback. Closing.

[2002-07-10 13:42 UTC] estelle at megaphone dot ch

Solaris 8, Apache 1.3.26, PHP 4.1.2 : ereg function causes a 100% CPU of the httpd process and then dies with a "maximum time exceeded".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC