|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-06-20 21:06 UTC] judas dot iscariote at gmail dot com
[2007-06-20 21:44 UTC] nlopess@php.net
[2007-06-21 09:40 UTC] joe at emomentum dot co dot uk
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 26 06:01:32 2024 UTC |
Description: ------------ Couldn't see this anywhere else (similar but not close enough). Located an apparent bug in the PCRE library, although this might be relating to the way PHP calls the library (I'll post this to the PCRE list as well). Reproducable if slightly random crash occurs when using regex's with certain hex strings on longish (and random) strings. Weirdly, the length of the string directly relates to the chance of a segfault, and the segfault only occurs with certain ranges of hex strings (specifically, ONLY over x7A and ONLY with text strings of exactly 4843 bytes or longer). Note that using the regex /^([\x00-\x7A])*$/ causes a segfault, whereas /^([\x00-\x71])*$/ or /^([\x00-\x79])*$/ does not. Running on Debian Etch 64bit (amd64) with latest stable PHP and libpcre3_6.7-1_amd64 installed. Regards, Joe Harris Senior Developer eMomentum Limited Reproduce code: --------------- <?php /* the length of the string determines the chance of a segfault. */ $strlen = 4846; /* almost total segfault, roughly 100% segfaults*/ //$strlen = 4845; /* almost always segfault, roughly 95% segfaults */ //$strlen = 4844; /* mostly segfault, roughly 80% segfaults */ //$strlen = 4843; /* regularly segfault, roughly 30% segfaults */ //$strlen = 4842; /* run without error, roughly 0% segfaults */ $alphabet = range('a', 'z'); /* range of lowercase letters */ $str = null; /* generate the random string */ for($i = 0; $i < $strlen; $i++) { $str .= $alphabet[rand(0,25)]; } /* perform our regex of doom */ $result = preg_match('/^([\x00-\x7A])*$/', $str); /* spam our (what should be) boolean result */ var_dump($result); ?> Expected result: ---------------- int(0) (false, never going to match a-z random string) Actual result: -------------- Segmentation fault (core dumped) ----- when running in gdb: This GDB was configured as "x86_64-linux-gnu"...(no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run test.php Starting program: /usr/bin/php test.php (no debugging symbols found) [snip - lots of these] (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 47782002024432 (LWP 11134)] (no debugging symbols found) [snip - lots of these] (no debugging symbols found) testing a string of 4846 bytes in length Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 47782002024432 (LWP 11134)] 0x00002b751be871a8 in pcre_dfa_exec () from /usr/lib/libpcre.so.3