php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41448 segmentation fault
Submitted: 2007-05-20 08:22 UTC Modified: 2007-05-21 08:57 UTC
From: whitephoenix at mail dot ru Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.2.2 OS: CentOS 4.3 64-Bit
Private report: No CVE-ID: None
 [2007-05-20 08:22 UTC] whitephoenix at mail dot ru
Description:
------------
The following source gives segfault on CentOS 4.3 64-Bit and  PHP 5.2.2.
Don't be scared, this regular expression is real parser for my templates-engine, and it works with other operation systems.
The result depends on Subject, so with '$var' it works well, but if '$var[anything]' then crashes.

Reproduce code:
---------------
<?php
echo 'proof of compilation'."\n";
preg_replace(
    '~(([\'"]).*?(?<!\\\\)\2|\w*\s*\(((?:(?R)|.)*?)\)'
    .'|[\$#]\w+#?(?:\\[(?:(?R)|((?:[^\\]\'"]*(?:([\'"]).*?(?<!\\\\)\5)?)*))*?\\]|\.[\$#]?\w+#?|->\s*[\$#]?\w+(?:\(((?:(?R)|.)*?)\))?)*'
    .'|-?\d+|(?<=^|[\s\)\:\.=+\-<>])(?:\w+)(?=$|[\s\|\.\:\(=+\-<>]))(\s+(?:is(?:\s+not)?\s+(?:odd|div|even)\s+by\s+-?\d+|is(?:\s+not)?\s+(?:odd|even)))?((?:\|@?\w+(?:\\:(?:'.'\w*\(((?:(?R)|.)*?)\)|[\$#]\w+#?(?:\\[(?:(?R)|((?:[^\\]\'"]*(?:([\'"]).*?(?<!\\\\)\11)?)*))*?\\]|\.[\$#]?\w+#?)*|[^\'"\:]*(?:[^\'"\:]*([\'"]).*?(?<!\\\\)\12[^\'"\:]*)*'.'))*)*)'
    .'|((?<=\s|\))(?:is\s+not|is|not\s+eq|eq|neq?|gt|lt|gt?e|ge|lt?e|mod)(?=\s|\()|(?:not\s+))'
    .'~si','any replacement','$var[index]');

Expected result:
----------------
"any replacement"

Actual result:
--------------
[root@72 _test]# php -q bug.php
proof of compilation
Segmentation fault


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-20 10:19 UTC] nlopess@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

I don't have access to a 64-bit machine, so I need the backtrace to take a look.
 [2007-05-21 01:08 UTC] judas dot iscariote at gmail dot com
PCRE crashes on match(), with either the bundled version or with latest 7.1. does not crash with 6.7.

this is reproducible in both 32 and 64 bit here, so you dont need a 64 bit machine to get a backtrace ;-)
 [2007-05-21 08:57 UTC] tony2001@php.net
The stack overflow in PCRE library has been reported numerous times to us, please search the database before reporting. 
The only thing we can do about it - limit the recursion using new INI options. The problem itself has nothing to do with PHP and should be reported to PCRE developers (but I'm sure they are well aware about it).

Btw, I'm unable to reproduce it using PCRE 7.1 (though I don't believe there were any major updates to this issue, so this must be caused by my OS/system/build/etc.).
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri May 27 18:06:15 2022 UTC