php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26020 preg_replace causing segmentation fault
Submitted: 2003-10-28 12:08 UTC Modified: 2003-10-28 17:31 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: coldrain at workingonit dot org Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 4.3.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: coldrain at workingonit dot org
New email:
PHP Version: OS:

 

 [2003-10-28 12:08 UTC] coldrain at workingonit dot org
Description:
------------
Variable $fileContent is a rather small html file. A function (see below) converts some comment tags and writes the output to a different file. On a RH 8 install, the maximum size of this html file is 9233 bytes. Add 1 or more characters to the html file, and the function causes a segmentation fault. PHP version is 4.2.2 which comes standard with RedHat.
Also tested on a Debian 3.1 install, where the max size of the source html file proved to be 11690 bytes.

Reproduce code:
---------------
function revertComments($fileContent) {
  $pattern = "/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU";
  $replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable -->";
  $fileContent = preg_replace($pattern, $replace, $fileContent);
  return $fileContent;
}


Expected result:
----------------
The function should convert the input. 

Actual result:
--------------
The script I used was called jjj.php. The output is only part of the strace. The size of the source html to be converted was 9234 bytes.

open("jjj.php", O_RDONLY)               = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes/jjj.php", {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000
read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697
_llseek(3, 0, [0], SEEK_SET)            = 0
brk(0)                                  = 0x824c000
brk(0x8250000)                          = 0x8250000
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate ioctl for device)
brk(0)                                  = 0x8250000
brk(0x8251000)                          = 0x8251000
read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697
read(3, "", 4096)                       = 0
brk(0)                                  = 0x8251000
brk(0x8252000)                          = 0x8252000
read(3, "", 8192)                       = 0
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate ioctl for device)
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000
read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096
read(3, "to cause problems (at least that"..., 4096) = 4096
read(3, "y frustrated with the lack of pr"..., 4096) = 1043
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
brk(0)                                  = 0x8252000
brk(0x8254000)                          = 0x8254000
brk(0)                                  = 0x8254000
brk(0x8259000)                          = 0x8259000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

The same script with the same html source file but 1 character removed has more or less the same output as above, but continues (see below) instead of segfaulting:

open("/var/www/html/interselect-r30/testjes/geconverteerd.html", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000
write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192
write(3, "rustrated with the lack of progr"..., 1054) = 1054
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23
write(1, "\r\n", 2
)                     = 2
write(1, "Content-type: text/html", 23Content-type: text/html) = 23
write(1, "\r\n", 2
)                     = 2
write(1, "\r\n", 2
)                     = 2
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
munmap(0x408d6000, 40280)               = 0
munmap(0x408e9000, 171372)              = 0
munmap(0x40913000, 42104)               = 0
munmap(0x4091e000, 42532)               = 0
munmap(0x40792000, 797228)              = 0
munmap(0x40855000, 76604)               = 0
munmap(0x40868000, 384604)              = 0
munmap(0x408c6000, 64436)               = 0
munmap(0x40014000, 4552)                = 0
munmap(0x408e0000, 34836)               = 0
munmap(0x40929000, 221952)              = 0
munmap(0x40016000, 14392)               = 0
munmap(0x40969000, 509688)              = 0
_exit(0)                                = ?


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-10-28 17:31 UTC] sniper@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments
to the existing bug instead.

Thank you for your interest in PHP.

See bug #25754  (I get the same GDB backtraces with your example script and the one in that report)

 [2011-09-29 13:01 UTC] ferenczy at volny dot cz
It's an Apache stack overflow issue. You probably need to increase Apache thread stack size, which is set on Windows to 1 MB only by default (8 MB on Linux).

See this for more info: https://bugs.php.net/bug.php?id=47689 (last post from me, [2011-09-29 12:35 UTC])
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 15:01:29 2024 UTC