php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36463 preg_match crashes
Submitted: 2006-02-20 16:26 UTC Modified: 2010-01-20 23:22 UTC
Votes:11
Avg. Score:4.7 ± 0.6
Reproduced:11 of 11 (100.0%)
Same Version:5 (45.5%)
Same OS:6 (54.5%)
From: sthapa at site5 dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID:
 [2006-02-20 16:26 UTC] sthapa at site5 dot com
Description:
------------
is_utf8() crashes on text

Reproduce code:
---------------
<?php
echo "Start Test, the data follows.<br><br>\n";
if ($fp = fopen("text.txt", "r")) {
   $contents = fread($fp, filesize("text.txt"));
   echo "$contents";
   fclose($fp);
}
echo "\n<br><br>The data is about to be passed to preg_match(). If you do not see the word 'Success' after this line, the program has crashed.<br>\n";
$truefalsetest=preg_match('%^(?:
         [\x09\x0A\x0D\x20-\x7E]            # ASCII
       | [\xC2-\xDF][\x80-\xBF]            # non-overlong 2-byte
       |  \xE0[\xA0-\xBF][\x80-\xBF]        # excluding overlongs
       | [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2}  # straight 3-byte
       |  \xED[\x80-\x9F][\x80-\xBF]        # excluding surrogates
       |  \xF0[\x90-\xBF][\x80-\xBF]{2}    # planes 1-3
       | [\xF1-\xF3][\x80-\xBF]{3}          # planes 4-15
       |  \xF4[\x80-\x8F][\x80-\xBF]{2}    # plane 16
   )*$%xs', $contents);
echo "Success. Return value of preg_match() = $truefalsetest.";
?>


Expected result:
----------------
Output with the success message.  Error appears when using either php 5.1.1 or php 4.4.2 both using suExec.  Testing this on freebsd systems don't cause the crash and do work correctly.

Actual result:
--------------
Core file and output doesn't have the success message. 

root@xxx [/user/dir]# gdb php5.bin core.11662
GNU gdb Red Hat Linux (6.3.0.0-1.63rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...php5.bin: No such file or directory.

Core was generated by `php5.bin'.
Program terminated with signal 11, Segmentation fault.
#0  0x080a5c4c in ?? ()
(gdb) bt
#0  0x080a5c4c in ?? ()
Error accessing memory address 0xbf523ef0: No such file or directory.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-20 18:31 UTC] derick@php.net
Can you provide both the script and the text file in a zip archive and add the link to this report?
 [2006-02-28 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-03-05 06:55 UTC] php36463 at signalsinsync dot com
http://www.signalsinsync.com/t.zip
(also fails with PHP 4.4.0 and 4.4.1)
 [2006-03-06 15:19 UTC] sthapa at site5 dot com
The comment on mar 5 has the requested information
 [2006-03-06 16:42 UTC] derick@php.net
Don't assign bugs to me for code that I have no written before discussing please.
 [2006-03-12 22:36 UTC] mike@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2006-03-20 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-08-15 12:56 UTC] liviu dot mirea at gmail dot com
I have the same problem. Simply try the following simpler test case:

$count = 500;
$string = str_repeat("a", $count);
echo preg_match('/\A(
	     [\x09\x0A\x0D\x20-\x7E]
	   | [\xC2-\xDF][\x80-\xBF]
	   |  \xE0[\xA0-\xBF][\x80-\xBF]
	   | [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2}
	   |  \xED[\x80-\x9F][\x80-\xBF]
	   |  \xF0[\x90-\xBF][\x80-\xBF]{2}
	   | [\xF1-\xF3][\x80-\xBF]{3}
	   |  \xF4[\x80-\x8F][\x80-\xBF]{2}
	  )*\z/x', $string);

If is doesn't crash, try increasing the $count variable.
This bug seems to be related (if not the same) with http://bugs.php.net/bug.php?id=27070

I'm sorry but I can't believe this bug has been around for 5 years.

Tested on PHP 5.3.0 and Windows 7 64bits
 [2010-01-19 16:02 UTC] stijn_koopal at hotmail dot com
Same problem with code of liviu dot mirea at gmail dot com.
OS: Windows 7 (32 bit)
PHP: 5.3.1
 [2010-01-19 16:06 UTC] pajoye@php.net
Which web server? Apache?
 [2010-01-20 22:44 UTC] liviu dot mirea at gmail dot com
I tested it again and it crashed on my current configuration: PHP 5.3.1, Apache/2.2.14 (Win32), Windows 7 (64 bit)
 [2010-01-20 22:47 UTC] rasmus@php.net
Works fine on Linux
 [2010-01-20 23:08 UTC] liviu dot mirea at gmail dot com
On CentOS 5.4, PHP 5.3.1, Apache/2.2.3:

With "$count = 5947;" it works. With "$count = 5948;" or higher it silently crashes. Apache error log: "[Thu Jan 21 01:02:15 2010] [notice] child pid 18136 exit signal Segmentation fault (11)"

rasmus at php at net, try giving it larger values.
 [2010-01-20 23:22 UTC] rasmus@php.net
Ah, I thought you meant the count=500 case crashed.  The higher numbers is simply overflowing libpcre's stack and you haven't set a sane limit.  This is not a bug.  This is a limitation of the pcre library and a configuration issue on your part.  Add this to your php.ini:

pcre.backtrack_limit = 10000
pcre.recursion_limit = 10000

And I bet your crash will go away.
 [2011-10-11 12:53 UTC] nicolas at toniazzi dot net
I reduced the test case to this:
$count  = 203;
$string = str_repeat("a", $count);
echo preg_match('/^(a)+$/', $s, $m);

Crashes for count > 202 on Windows 7, apache 2.2 and php 5.3.8 (all 64 bits).
But it's working with the CLI, using the same php.ini.

Adding the pcre.* directives in php.ini didn't help.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Mar 30 14:01:48 2017 UTC