PHP :: Bug #39686 :: Segmentation fault

Bug #39686	Segmentation fault
Submitted:	2006-11-29 16:16 UTC	Modified:	2006-11-29 16:42 UTC
From:	tom at ideaweb dot de	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	5.2.0	OS:	PPC/MacOSX
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2006-11-29 16:16 UTC] tom at ideaweb dot de

Description:
------------
Hi there,

any php5 version is crashing if want to call my script. The problem i cannot post code to reproduce the bug. I usw the php salesforce api to import data from a mssql database.

Have anyone an idea? Is it PHP or something else?

Thx a bunch, Thomas

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbf7ffaf0
0x020242bc in match (eptr=0x13c2f9b "wIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA"..., ecode=0x186e850 "C\002#\024B\002,", offset_top=2, md=0xbfffce90, ims=4, eptrb=0xbf800994, flags=2, rdepth=6086) at /usr/local/src/php-5.2.0/ext/pcre/pcrelib/pcre_exec.c:378
378     {
(gdb) f 0
#0  0x020242bc in match (eptr=0x13c2f9b "wIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA"..., ecode=0x186e850 "C\002#\024B\002,", offset_top=2, md=0xbfffce90, ims=4, eptrb=0xbf800994, flags=2, rdepth=6086) at /usr/local/src/php-5.2.0/ext/pcre/pcrelib/pcre_exec.c:378
378     {
(gdb) p word[w_idx]

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbf7fffb0
0x9017d64c in NSLookupAndBindSymbol ()
The program being debugged was signaled while in a function called from GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on"
Evaluation of the expression containing the function (NSLookupAndBindSymbol) will be abandoned.
(gdb) p toupper(word[w_idx])
Cannot access memory at address 0xbf7fffd0
(gdb) p isalpha(toupper(word[w_idx]))
Cannot access memory at address 0xbf7fffd0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-11-29 16:18 UTC] tony2001@php.net

Looks like a stack overflow in PCRE (which is expected in certain conditions). But I can't say anything for sure without a short but complete reproduce case.

[2006-11-29 16:31 UTC] tom at ideaweb dot de

I got it. It seems that preg_match makes the trouble:

return preg_match( '%^(?:
	[\x09\x0A\x0D\x20-\x7E]             # ASCII
	| [\xC2-\xDF][\x80-\xBF]            # non-overlong 2-byte
	|  \xE0[\xA0-\xBF][\x80-\xBF]       # excluding overlongs
	| [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2} # straight 3-byte
	|  \xED[\x80-\x9F][\x80-\xBF]       # excluding surrogates
	|  \xF0[\x90-\xBF][\x80-\xBF]{2}    # planes 1-3
	| [\xF1-\xF3][\x80-\xBF]{3}         # planes 4-15
	|  \xF4[\x80-\x8F][\x80-\xBF]{2}    # plane 16
	)*$%xs', $pString
);

But i used this peace of code over years and it made no trouble. Maybe it depends on the input string ($pString) ???

I try to make a reproduce code (in the next days)...

Thomas

[2006-11-29 16:42 UTC] tony2001@php.net

Yes, it depends on the lenght of the string (rather on the number of matches). This is known problem of PCRE and there is a way to prevent the crash using recursion limits.
Unfortunately, this is not something we can fix, as the problem is in PCRE library.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 17 21:01:33 2024 UTC