PHP :: Bug #21732 :: preg_replace() segfaults with invalid parameters

Bug #21732	preg_replace() segfaults with invalid parameters
Submitted:	2003-01-18 14:03 UTC	Modified:	2003-01-18 14:49 UTC
From:	moriyoshi@php.net	Assigned:
Status:	Closed	Package:	PCRE related
PHP Version:	5CVS-2003-01-18 (dev)	OS:	RedHat 8.0
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	moriyoshi@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-01-18 14:03 UTC] moriyoshi@php.net

While handling the feature request (bug #7006), I found another bug.

<?php
$tvPrograms = array( 'Simpsons', 'Southpark', 'Disney Time' );
$data = str_repeat('%col%', 100);
$htmlDoc = preg_replace('/%col%/', $tvPrograms, $data );
print $htmlDoc;
?>

I know the above script is incorrect as the manual goes:

> If pattern is an array and replacement is a string, then
> this replacement string is used for every value of
> pattern. The converse would not make sense, though. 

But I didn't expect it would segfault...

[backtrace]
#0  0x0806bd04 in php_pcre_replace (regex=0x400a6d64 "/%col%/", regex_len=7,
    subject=0x400a7038 "%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...,
    subject_len=500, replace_val=0x400a6de4, is_callable_replace=0,
    result_len=0xbfffd334, limit=-1)
    at /home/koizumi/src/php5/ext/pcre/php_pcre.c:833
        re = (struct real_pcre *) 0x81bb678
        extra = (struct real_pcre_extra *) 0x0
        exoptions = 0
        preg_options = 0
        count = 1
        offsets = (int *) 0x400a7264
        size_offsets = 3
        new_len = 2122001
        alloc_len = 1001
        eval_result_len = 0
        match_len = 404
        backref = 3
        eval = 0
        start_offset = 0
        g_notempty = 0
        replace_len = 134564634
        result = 0x400a79fc 'Z' <repeats 28 times>, "\204?\217*ZZZZ?%\003"
        replace = 0x400a6e28 "\b"
        new_buf = 0x22c <Address 0x22c out of bounds>
        walkbuf = 0x400a7008 ",\002"
        walk = 0x402ad000 <Address 0x402ad000 out of bounds>
        match = 0x400a7038 "%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...
        piece = 0x400a7038 "%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...
        replace_end = 0x480fb942 <Address 0x480fb942 out of bounds>
        eval_result = 0x400a7234 "D"
        walk_last = 0 '\0'
#1  0x0806c518 in php_replace_in_subject (regex=0x400a6a8c,
    replace=0x400a6de4, subject=0x4009abc0, result_len=0xbfffd334, limit=-1,
    is_callable_replace=0 '\0')
    at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1013
        regex_entry = (struct _zval_struct **) 0x400a6ff4
        replace_entry = (struct _zval_struct **) 0x0
        replace_value = (struct _zval_struct *) 0x817dbe0
        empty_replace = {value = {lval = 135781248,
    dval = 6.7084849986250466e-316, str = {val = 0x817db80 "", len = 0},
    ht = 0x817db80, obj = {handle = 135781248, handlers = 0x0}},
  refcount = 135594816, type = 3 '\003', is_ref = 4 '\004'}
        subject_value = 0x8131450 "\203? \211\003?N"
        result = 0xbfffd2f8 "??\t@4???????"
        subject_len = 1074425912
#2  0x0806cb57 in preg_replace_impl (ht=3, return_value=0x400a6da0,
    this_ptr=0x0, return_value_used=1, is_callable_replace=0 '\0')
    at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1100
        regex = (struct _zval_struct **) 0x4009abb8
        replace = (struct _zval_struct **) 0x4009abbc
        subject = (struct _zval_struct **) 0x4009abc0
        limit = (struct _zval_struct **) 0x0
        subject_entry = (struct _zval_struct **) 0x400a6d70
        result = 0x8191400 ""
        result_len = 0
        limit_val = -1
        string_key = 0x44 <Address 0x44 out of bounds>
        num_key = 3221214040
        callback_name = 0x0
#3  0x0806cba8 in zif_preg_replace (ht=3, return_value=0x400a6da0,
    this_ptr=0x0, return_value_used=1)
    at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1111
No locals.
#4  0x08147cef in zend_do_fcall_common_helper (execute_data=0xbfffd5e0,
    op_array=0x400a5de4) at /home/koizumi/src/php5/Zend/zend_execute.c:2566
        original_return_value = (struct _zval_struct **) 0x12e
        current_scope = (struct _zend_class_entry *) 0x0
        current_this = (struct _zval_struct *) 0x0
        return_value_used = 1
#5  0x0814828b in zend_do_fcall_handler (execute_data=0xbfffd5e0,
    op_array=0x400a5de4) at /home/koizumi/src/php5/Zend/zend_execute.c:2692
        fname = (struct _zval_struct *) 0x400a64a8
#6  0x0814376a in execute (op_array=0x400a5de4)
    at /home/koizumi/src/php5/Zend/zend_execute.c:1218
        execute_data = {opline = 0x400a6484, function_state = {
    function_symbol_table = 0x0, function = 0x81bac28, reserved = {0x0, 0x0,
      0xbffff920, 0x0}}, fbc = 0x0, fbc_constructor = 0x0,
  op_array = 0x400a5de4, object = 0x0, Ts = 0xbfffd400,
  original_in_execution = 0 '\0', calling_scope = 0x0,
  prev_execute_data = 0x0}

...

#7  0x08132ede in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/koizumi/src/php5/Zend/zend.c:996
#8  0x08101892 in php_execute_script (primary_file=0xbffff920)
    at /home/koizumi/src/php5/main/main.c:1691
#9  0x0814e39b in main (argc=2, argv=0xbffff9b4)
    at /home/koizumi/src/php5/sapi/cli/php_cli.c:753
#10 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-18 14:49 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2020 The PHP Group All rights reserved.	Last updated: Fri Feb 28 03:01:27 2020 UTC