PHP :: Bug #37125 :: "str_replace" causes system overflow when using regexp's as replace

Bug #37125	"str_replace" causes system overflow when using regexp's as replace
Submitted:	2006-04-18 18:04 UTC	Modified:	2006-04-18 21:29 UTC
From:	realbora at gmx dot de	Assigned:
Status:	Not a bug	Package:	Strings related
PHP Version:	5.1.2	OS:	windows 2000
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	realbora at gmx dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-04-18 18:04 UTC] realbora at gmx dot de

Description:
------------
"str_replace" causes buffer overflow when using regexp's as replace!
When using regexp`s as the replacement in "str_replace" a system hangup can cause.
Not ever, but in general is this the failure.

Reproduce code:
---------------
$regExp=array(":","-","{","}","(",")","~","[","]","#","|");
$sql2=mysql_query('select * from smilies;');
for($i=0;$temp2=mysql_fetch_array($sql2);$i++){
	$smilie[$i]=$temp2['smilie'];
	for($j=0;$j<=count($regExp);$j++){
		$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i]);
		}
	$file[$i]='<img border="0" src="./bilder/smilies/'.$temp2['file'].'">';
	$neu_post=preg_replace("/$smilie[$i]/",$file[$i],$neu_post);
	echo $smilie[$i].'<br>';
	$neu_post1=substr($neu_post, 0, 60+$x);
}

Expected result:
----------------
Memoryuse grows very fast until system hangup.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-18 18:09 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc.

If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.

[2006-04-18 19:37 UTC] realbora at gmx dot de

I don`t have a Webserver with W2K on the web. I only got this problem on my home-pc with a lokal webserver (IIS 5) for testing.
You don't need a database or any other resources for this script. You only have do modify it a bit!

modified script without a need of resources:

$smilie=array(":-)",";-)",":-}","}:-)",":-#",":|");
$regExp=array(":","-","{","}","(",")","~","[","]","#","|");
$sql2=mysql_query('select * from smilies;');
for($i=0;$i<=count($smilie);$i++){
	for($j=0;$j<=count($regExp);$j++){
		$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i])
;
		}
	$file[$i]='<img border="0">';
	$neu_post=preg_replace("/$smilie[$i]/",$file[$i],$neu_post);
	echo $smilie[$i].'<br>';
	$neu_post1=substr($neu_post, 0, 60+$x);
}

[2006-04-18 19:50 UTC] derick@php.net

We're not going to write a script for you here. You'll have to show us that there is a bug, which you can do by providing us with a standalone script that we don't have to modify.

[2006-04-18 20:34 UTC] realbora at gmx dot de

I think I made a mistake.
I found out, that I only have to modify the line "$smilie[$i]=str_replace($regExp[$j],"\\"."\\".$regExp[$j],$smilie[$i])"
like that "$smilie[$i]=str_replace($regExp[$j],"\\".$regExp[$j],$smilie[$i])".
And than it works.
But I think it's a little bit funny that the first code works 1 of 10 times.
OK.
Sorry that I interrupted you at your work. I know it's not easy for you to solve so many problems without any deeper informations.

[2006-04-18 21:29 UTC] tony2001@php.net

The error message are pretty clear:
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 8 in .. on line 9
\\:\\-\\)
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 6 in .. on line 9
;\\-\\)
\\:\\-\\}
Warning: preg_replace(): Compilation failed: unmatched parentheses at offset 11 in .. on line 9
\\}\\:\\-\\)
\\:\\-\\#
\\:\\|
Fatal error: Allowed memory size of 8388608 bytes exhausted at /usr/src/dev/clean/php-src_5_1/ext/pcre/php_pcre.c:955 (tried to allocate 8519140 bytes)

No PHP bug -> bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 10:01:28 2024 UTC