php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19386 crash at if (preg_match('/(.|[\r\n])+/', $x)):
Submitted: 2002-09-13 07:20 UTC Modified: 2002-09-26 13:10 UTC
From: paul dot dodd at usb dot unibe dot ch Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 4.2.3, 4.3.0-dev OS: *
Private report: No CVE-ID: None
 [2002-09-13 07:20 UTC] paul dot dodd at usb dot unibe dot ch
Crash also occurred with php version 4.3.1. Binary windows
version was used in both cases. Doe not occur for all
values of $x (probably only for very long strings ?).

<?php
$x = 'AN 11293237 20010507. AU Kraj, M.; Poglod, R.; Pawlikowski, J.; Maj, S.; Nasilowska, B. IN Institute  of  Haematology  and  Blood Transfusion, 5 Chocimska Str.,    00-957 Warsaw, Poland. TI Effect  of pamidronate on skeletal morbidity in myelomatosis. Part 1.    The results of the first 12 months of pamidronate therapy. SO Acta Pol. Pharm. IS 0001-6837 YR 2000 VL 57 Suppl PG 113-116 LG English. DE ADULT;    AGED;    BONE-RESORPTION/PX (psychology);    CALCIUM/UR (urine);    DIPHOSPHONATES/*TU (therapeutic use);    FEMALE;    HUMAN;    MALE;    MIDDLE-AGE;    MULTIPLE-MYELOMA/CO (complications), *DT (drug therapy);    OSTEOLYSIS/*PC (prevention & control). RN 0 (Diphosphonates);    40391-99-9 (amidronate);    7440-70-2 (Calcium). AB BACKGROUND:   Osteolytic  bone  destruction  caused  by  increase  of    osteolytic activity is a major manifestation of multiple myeloma (MM)    .    Pamidronate   (3-amino-1-hydroxypropylidene)-1,1-bisphosphonate)    inhibits  osteoclastic activity and reduces bone resorption. METHODS:    Since  October  1995  the  efficacy of pamidronate is evaluated in MM    patients  all  receiving  anti-myeloma chemotherapy acc. to VMCP/VBAP    alternating   regimen.   46  patients  with  stage  III  myeloma  and    osteolytic  lesions  were  randomized  to  receive either pamidronate    (Aredia;  Novartis) 60 mg i.v. in 4-hour infusion monthly (n = 23) or    chemotherapy  alone (control group n = 23). Estimation of performance    status,  quality  of  life,  pain score, analgesic consumption, serum    calcium  concentration and twenty four-hours Calcium excretion, urine    Calcium/creatinine  ratio  is  done  at  least  once  a month (before    pamidronate   administration)  while  X-ray  skeletal  survey--before    treatment  and then every six months. RESULTS: In the first months of    treatment  apparent  reduction  of bone pain occurred. Hypercalcaemia    was  revealed  in  6  patients at entry into the study. In 5 of these    patients  pamidronate  restored  and  maintained normocalcaemia for a    median   6   months.   In   3  patients  an  aggressive  plasma  cell    proliferation  was  accompanied by reoccurrence of hypercalcaemia. At    skeletal  X-ray  examination  performed  after  6  and  12  cycles of    pamidronate  and  by  comparing  each  of  consecutive  imaging  with    previous  one the progression of osteolysis was respectively found in    67%  and  39% of patients. In the control group corresponding figures    were:  79%  and  70%.  The mean number of skeletal events (pathologic    fracture, radiation to bone and spinal cord compression) per year was    lower in the pamidronate group (1.82) than in control-patients (2.72)    ,  p  0.013.  The proportion of patients who developed skeletal event    (excluding  vertebral  fractures)  was lower in the pamidronate group    -34%  v 52%. Adverse events of pamidronate: hypocalcaemia ( 2 mmol/l)    observed in 7 patients occurred in particular patients beginning from    2  to  7  days after drug administration. In 2 patients hypocalcaemia    that  appeared  in  24  hours  after drug infusion was accompanied by    blood  pressure decrease; in one case systolic blood pressure dropped    up  to 60 mmHg, in the other one--to 90 mmHg. Muscular pain and fever    up  to  39  degrees  C  (transient  and self-limiting "influenza like    syndrom") occurred in 5 patients, in two patients after several hours    and   in   three   other--after   some  dozens  of  hours  from  drug    administration.  In  one  case  hypertransaminasaemia  was  observed.    CONCLUSIONS:  In  the  first  year  of  treatment monthly intravenous    pamidronate  administration as an adjunct to chemotherapy in patients    with  advanced  multiple  myeloma  with  osteolysis  is  an efficient    approach    in   prevention   and   treatment   of   hyperacalcaemia,    hypercalciuria and bone pain. It also shows some preventive effect on    bone lesion occurrence. PT Clinical-Trial, Journal-Article, Randomized-Controlled-Trial. ED 20010503.';

if (preg_match('/(.|[\r\n])+/', $x)):
	$y = 1;
endif;
?>

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-13 09:53 UTC] paul dot dodd at usb dot unibe dot ch
By php version 4.3.1 I mean 4.2.1 of course ;-)
 [2002-09-13 12:31 UTC] sniper@php.net
I can reproduce the crash on Linux too. But could you try
shortening the example script to something bit smaller?

 [2002-09-17 05:22 UTC] paul dot dodd at usb dot unibe dot ch
Tests of different lengths of string '$x' show that if
strlen($x) > 4040 the crash occurs i.e. with the last
text is 'Randomized-Controlled-Trial' php will crash. A
shorter script as requested is:
<?php
$x = '';
while (true) {
	$x .= '*';
	$len = strlen($x);
	preg_match('/(.|[\r\n])+/', $x, $match);
	echo "<br />$len\n";
}
?>
 [2002-09-17 07:03 UTC] wez@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Could you supply a backtrace?
Also, could you try with a non-stable snapshot from the
last couple of days as the PCRE library was updated recently.
 [2002-09-17 07:10 UTC] wez@php.net
I didn't see that Jani reproduced this.

FWIW, I can not reproduce using current CVS or with
PHP 4.2.1 (the oldest version I had to hand just now)
using the short script that you provided.
 [2002-09-17 07:56 UTC] sniper@php.net
And I can still reproduce it with the short script and using latest CVS. (which has the new pcre lib)

 [2002-09-17 08:07 UTC] paul dot dodd at usb dot unibe dot ch
I've reproduced this using the php4-win32-latest snapshot.
The only difference is that it crashes at
char 3915 instead of 4041. Sorry, but not gdb hence no
backtrace.
 [2002-09-20 04:45 UTC] devon at sitetronics dot com
I cannot reproduce this bug using the latest cvs on redhat 7.3.  The script just keeps going.  I cut it off after 20000 chars.

I also do not experience this problem with the latest cvs release on FreeBSD 4.6-STABLE.

Devon
 [2002-09-20 07:21 UTC] sniper@php.net
I still can reproduce it with latest CVS HEAD and RH 6.2/x86 

 [2002-09-26 11:21 UTC] wez@php.net
How about a backtrace? (Jani?)
Is it PHP or PCRE that's causing this problem?
 [2002-09-26 11:28 UTC] sniper@php.net
I'm not gonna put the whole backtrace here..it's quite long.. :) But here's the start of it.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (runnable)]
0x818d0d1 in match (eptr=0x853feb2 "", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, eptrb=0xbfe0225c, 
    flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3438
3438    }
(gdb) bt

#0  0x818d0d1 in match (eptr=0x853feb2 "", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, eptrb=0xbfe0225c, 
    flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3438
#1  0x818ddd1 in match (eptr=0x853feb1 "*", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0225c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#2  0x818d207 in match (eptr=0x853feb1 "*", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, eptrb=0xbfe0225c, 
    flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#3  0x818ddd1 in match (eptr=0x853feb0 "**", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0249c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#4  0x818d207 in match (eptr=0x853feb0 "**", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0249c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#5  0x818ddd1 in match (eptr=0x853feaf "***", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe026dc, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#6  0x818d207 in match (eptr=0x853feaf "***", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe026dc, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#7  0x818ddd1 in match (eptr=0x853feae "****", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0291c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#8  0x818d207 in match (eptr=0x853feae "****", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0291c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#9  0x818ddd1 in match (eptr=0x853fead "*****", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02b5c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#10 0x818d207 in match (eptr=0x853fead "*****", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02b5c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#11 0x818ddd1 in match (eptr=0x853feac "******", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02d9c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#12 0x818d207 in match (eptr=0x853feac "******", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02d9c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#13 0x818ddd1 in match (eptr=0x853feab "*******", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02fdc, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#14 0x818d207 in match (eptr=0x853feab "*******", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe02fdc, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#15 0x818ddd1 in match (eptr=0x853feaa "********", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0321c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#16 0x818d207 in match (eptr=0x853feaa "********", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0321c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#17 0x818ddd1 in match (eptr=0x853fea9 "*********", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0345c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#18 0x818d207 in match (eptr=0x853fea9 "*********", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0345c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#19 0x818ddd1 in match (eptr=0x853fea8 "**********", ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0369c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#20 0x818d207 in match (eptr=0x853fea8 "**********", ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, ims=0, 
    eptrb=0xbfe0369c, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3538
#21 0x818ddd1 in match (eptr=0x853fea7 '*' <repeats 11 times>, ecode=0x854397c "\0178", offset_top=4, md=0xbfffd348, 
    ims=0, eptrb=0xbfe038dc, flags=2) at /usr/src/web/php/php4/ext/pcre/pcrelib/pcre.c:3931
#22 0x818d207 in match (eptr=0x853fea7 '*' <repeats 11 times>, ecode=0x8543979 "H", offset_top=4, md=0xbfffd348, 

 [2002-09-26 12:51 UTC] wez@php.net
I know this might sound dumb, but do you have any stack size limits in place?
 [2002-09-26 13:10 UTC] wez@php.net
ulimit -S -s 1024 (1MB stack)
Crashes on a length of 1800.

ulimit -S -s 10240 (10MB stack)
Crashes on 18200.

ulimit -S -s 10240 (100MB stack)
Crashes on 182000. (takes a very long time to get there)

This feels pretty bogus to me, since that pattern is
looking for a match on all characters or all CRLF on or more times; it seems like an expensive way of setting
$y = 1 :-)

This is really a bug in pcrelib and not in PHP, so I'm
marking this as bogus.
A workaround if you insist on using this particular
pattern is to increase your stack size.  A better solution
for the code sample you provided probably looks like this:

if (strlen($x))
   $y = 1;

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Sep 10 05:01:28 2024 UTC