PHP :: Bug #36203 :: preg_replace crashes apache22 when given a large input and a lazy regex

Bug #36203	preg_replace crashes apache22 when given a large input and a lazy regex
Submitted:	2006-01-30 03:40 UTC	Modified:	2006-01-30 04:51 UTC
From:	freebsd at akruijff dot dds dot nl	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	5.1.2	OS:	FreeBSD
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	freebsd at akruijff dot dds dot nl
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-01-30 03:40 UTC] freebsd at akruijff dot dds dot nl

Description:
------------
The preg_replace instruction I've writen should remove everything betwain [!-- and --]. This can include newlines.

The code use to run just fine until i upgraded from apache20 to apache22 this month. So I am not sure whether this is a php bug or apache22 bug.

When this code is run then apache22 reports:
[Mon Jan 30 03:07:16 2006] [notice] child pid 2921 exit signal Illegal instruction (4)

I've bin able to avoid a crash by reducing the input a lot (aprox 80%) or changing regex from \[!--(.|\n)*?--\] to \[!--(.*|\n)*?--\].

Reproduce code:
---------------
<?php
$output = "[!--\n[table class=\"bigtext\"]\n[thead]\n[tr][td align='center' colspan='3'][b]Overview firewall rules[/b][/td][/tr]\n[tr][td]Start rule number[/td][td]Stop rule numer[/td][td]Purpose[/td][/tr]\n[/thead]\n[tbody]\n[tr][td align='center']100[/td][td align='center']199[/td][td]Count or allow traffic on the NICs[/td][/tr]\n[tr][td][br][/td][td][br][/td][td][br][/td][/tr]\n[tr][td align='center']1000[/td][td align='center']1999[/td][td][b]Early allow[/b][/td][/tr]\n[tr][td align='center']1000[/td][td align='center']1099[/td][td]Allow local traffic[/td][/tr]\n[tr][td align='center']1300[/td][td align='center']1399[/td][td]Allow local services and deny alternatives[/td][/tr]\n[tr][td][br][/td][td][br][/td][td][br][/td][/tr]\n[tr][td align='center']2000[/td][td align='center']2999[/td][td][b]Early deny / reject[/b][/td][/tr]\n[tr][td align='center']2000[/td][td align='center']2099[/td][td]Deny spoofing[/td][/tr]\n[tr][td align='center']2100[/td][td align='center']2199[/td][td]Blocked hosts by portsentry (thirth part application)[/td][/tr]\n[tr][td align='center']2200[/td][td align='center']2499[/td][td]Blocklist (written by a one of my scripts)[/td][/tr]\n[tr][td align='center']2900[/td][td align='center']2999[/td][td]Tempory block (intented until ipa is run)[/td][/tr]\n[tr][td][br][/td][td][br][/td][td][br][/td][/tr]\n[tr][td align='center']3000[/td][td align='center']3999[/td][td][b]Network Address Transtion + Dummynet[/b][/td][/tr]\n[tr][td align='center']3000[/td][td align='center']3099[/td][td]Selecting traffic shaping and natd traffic[/td][/tr]\n[tr][td align='center']3100[/td][td align='center']3199[/td][td]Traffic shaping up[/td][/tr]\n[tr][td align='center']3200[/td][td align='center']3299[/td][td]Passing though natd[/td][/tr]\n[tr][td align='center']3300[/td][td align='center']3399[/td][td]Traffic shaping down (for natd traffic)[/td][/tr]\n[tr][td align='center']3400[/td][td align='center']3499[/td][td]Traffic shaping down (for non-natd traffic)[/td][/tr]\n[tr][td][br][/td][td][br][/td][td][br][/td][/tr]\n[tr][td align='center']4000[/td][td align='center']4999[/td][td][b]Selection for skipto 5xxxx[/b][/td][/tr]\n[tr][td align='center']4000[/td][td align='center']4099 [/td][td]Skipto 5x000 traffic based on IP number[/td][/tr]\n[tr][td align='center']4100[/td][td align='center']4199[/td][td]Skipto 5x000 traffic based on account information[/td][/tr]\n[tr][td align='center']4600[/td][td align='center']4699[/td][td]STATEFUL Firewall[/td][/tr]\n[tr][td align='center']4900[/td][td align='center']4999[/td][td]Deny everything else[/td][/tr]\n[tr][td][br][/td][td][br][/td][td][br][/td][/tr]\n[tr][td align='center']50000[/td][td align='center']59999[/td][td][b]Count traffic for a user (IP or account)[/b][/td][/tr]\n[tr][td align='center']5x000[/td][td align='center'5x999[/td][td]Selecting out or in[/td][/tr]\n[tr][td align='center']5x100[/td][td align='center']5x499[/td][td]Counting traffic out[/td][/tr]\n[tr][td align='center']5x600[/td][td align='center']5x999[/td][td]Counting traffic in[/td][/tr]\n[/tbody]\n[/table]\n --]\n";
  $output = preg_replace('/\[!--(.|\n)*?--\]/', '', $output);
echo 'output="'.$output.'"';
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-30 04:51 UTC] sniper@php.net

Yes, you hit the inherent problem with PCRE and it's limits.
(try searching the bug db for PCRE crashes and you'll find longer explanation)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 01:01:28 2024 UTC