php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #37125 "str_replace" causes system overflow when using regexp's as replace
Submitted: 2006-04-18 18:04 UTC Modified: 2006-04-18 21:29 UTC
From: realbora at gmx dot de Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.1.2 OS: windows 2000
Private report: No CVE-ID: None
View Developer Edit
 [2006-04-18 18:04 UTC] realbora at gmx dot de 
Description:
------------
"str_replace" causes buffer overflow when using regexp's as replace!
When using regexp`s as the replacement in "str_replace" a system hangup can cause.
Not ever, but in general is this the failure.

Reproduce code:
---------------
$regExp=array(":","-","{","}","(",")","~","[","]","#","|");
$sql2=mysql_query('select * from smilies;');
for($i=0;$temp2=mysql_fetch_array($sql2);$i++){
	$smilie[$i]=$temp2['smilie'];
	for($j=0;$j<=count($regExp);$j++){
		$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i]);
		}
	$file[$i]='<img border="0" src="./bilder/smilies/'.$temp2['file'].'">';
	$neu_post=preg_replace("/$smilie[$i]/",$file[$i],$neu_post);
	echo $smilie[$i].'<br>';
	$neu_post1=substr($neu_post, 0, 60+$x);
}

Expected result:
----------------
Memoryuse grows very fast until system hangup.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-04-18 18:09 UTC] tony2001@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
 [2006-04-18 19:37 UTC] realbora at gmx dot de 
I don`t have a Webserver with W2K on the web. I only got this problem on my home-pc with a lokal webserver (IIS 5) for testing.
You don't need a database or any other resources for this script. You only have do modify it a bit!

modified script without a need of resources:

$smilie=array(":-)",";-)",":-}","}:-)",":-#",":|");
$regExp=array(":","-","{","}","(",")","~","[","]","#","|");
$sql2=mysql_query('select * from smilies;');
for($i=0;$i<=count($smilie);$i++){
	for($j=0;$j<=count($regExp);$j++){
		$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i])
;
		}
	$file[$i]='<img border="0">';
	$neu_post=preg_replace("/$smilie[$i]/",$file[$i],$neu_post);
	echo $smilie[$i].'<br>';
	$neu_post1=substr($neu_post, 0, 60+$x);
}
 [2006-04-18 19:50 UTC] derick@php.net 
We're not going to write a script for you here. You'll have to show us that there is a bug, which you can do by providing us with a standalone script that we don't have to modify.
 [2006-04-18 20:34 UTC] realbora at gmx dot de 
I think I made a mistake.
I found out, that I only have to modify the line "$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i])"
like that "$smilie[$i]=str_replace($regExp[$j],"\\".$regExp[$j],$smilie[$i])".
And than it works.
But I think it's a little bit funny that the first code works 1 of 10 times.
OK.
Sorry that I interrupted you at your work. I know it's not easy for you to solve so many problems without any deeper informations.
 [2006-04-18 21:29 UTC] tony2001@php.net 
The error message are pretty clear:
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 8 in .. on line 9
\\:\\-\\)
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 6 in .. on line 9
;\\-\\)
\\:\\-\\}
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 11 in .. on line 9
\\}\\:\\-\\)
\\:\\-\\#
\\:\\|
Fatal error: Allowed memory size of 8388608 bytes exhausted at /usr/src/dev/clean/php-src_5_1/ext/pcre/php_pcre.c:955 (tried to allocate 8519140 bytes)

No PHP bug -> bogus.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 03:01:30 2025 UTC