php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #25754 preg_replace() and preg_replace_callback() crash with long matches
Submitted: 2003-10-04 19:56 UTC Modified: 2004-02-22 15:19 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ilya at lebedev dot net Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4CVS-2003-10-04 (stable) OS: Win32
Private report: No CVE-ID: None
 [2003-10-04 19:56 UTC] ilya at lebedev dot net
Description:
------------
Regular expression from the J.Friedl's "Mastering regular expressions" book that matches pair html tags:
#<tag([^>]*)>(((?!</?tag(?:[^>]*)>).)*)</tag>#si

When between <tag> and </tag> are more then 2100 bytes (symbols), Apache crashes.

Same happens without "s" modifier, if string has no "newline" codes.

Reproduce code:
---------------
===
preg_replace("#<tag([^>]*)>(((?!</?tag(?:[^>]*)>).)*)</tag>#si","","<tag> 2200 symbols</tag>");
===
or 
===
function callback (&$m) { return "";};
preg_replace_callback ("#<tag([^>]*)>(((?!</?tag(?:[^>]*)>).)*)</tag>#si","callback","<tag> 2200 symbols </tag>");
===

Expected result:
----------------
Match blocks bigger then 2100 symbols long.

Actual result:
--------------
With more then 2100 sybmols between tags Apache crashes.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-10-04 22:04 UTC] sniper@php.net
From http://www.pcre.org/pcre.txt, LIMITATIONS:

"The maximum length of a subject string is the largest  
positive number that an integer variable can hold. However, 
PCRE uses recursion to handle subpatterns and indefinite  
repetition. This  means  that the available stack space may 
limit the size of a subject string that can be processed  by  
certain patterns."

This propably should be mentioned in our manual pages too.

(On Linux, the example script worked fine with 9344 chars between the tags, but 9345 crashed)

 [2003-10-28 18:16 UTC] coldrain at workingonit dot org
It seems the bug I reported (http://bugs.php.net/bug.php?id=26020) is a duplicate of this one. In this (now bogus) bug report there is more info on a similar, yet different case.
It should be noted that the maximum amount of data between pairs of tags in this PCRE case is not a constant as it differs between platforms, even with the same installed PHP versions. On a Debian box, I was able to process about 11650 bytes between to matching div tags.
 [2004-02-22 15:19 UTC] nlopess@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.


 [2011-09-29 13:00 UTC] ferenczy at volny dot cz
It's an Apache stack overflow issue. You probably need to increase Apache thread stack size, which is set on Windows to 1 MB only by default (8 MB on Linux).

See this for more info: https://bugs.php.net/bug.php?id=47689 (last post from me, [2011-09-29 12:35 UTC])
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Apr 23 10:01:26 2019 UTC