php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43301 mb_ereg*_replace() crashes when replacement string is invalid PHP expression
Submitted: 2007-11-15 01:35 UTC Modified: 2007-11-16 21:07 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: yoy dot noneoff at dfgh dot net Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.3CVS-2007-11-15 (CVS) OS: win xp sp2
Private report: No CVE-ID:
 [2007-11-15 01:35 UTC] yoy dot noneoff at dfgh dot net
Description:
------------
php crash on mbstring(php_mbstring.dll) when runnign as CGI.
'e' flag/option

and $replacement parameter contian php-expression with syntax error.

problem not present when php loaded as module(Apache) Parse error is thrown.



applay on the latest php 5.3
and also on php 5.2


Reproduce code:
---------------
<?php
$ptr = 'hello';

$txt = <<<doc
hello, I have got a cr*sh on you
doc;

echo C($ptr,'$1',$txt,'e');
?>

Expected result:
----------------
see Parse Error, similer to php loaded as module.


Actual result:
--------------
crash error 

AppName: php-cgi.exe	 AppVer: 5.3.0.0	 ModName: php_mbstring.dll
ModVer: 5.3.0.0	 Offset: 00031595



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-15 20:03 UTC] yoy dot noneoff at dfgh dot net
correct Reproduce code:
---------------
<?php
$ptr = 'hello';

$txt = <<<doc
hello, I have got a cr*sh on you
doc;

echo mb_ereg_replace($ptr,'$1',$txt,'e');
?>
 [2007-11-16 04:18 UTC] yoy dot noneoff at dfgh dot net
Function     Arg 1     Arg 2     Arg 3   Source 
php_mbstring!_php_mb_regex_ereg_replace_exec+5e5     00000004     0112c838     00000000    
php_mbstring!zif_mb_ereg_replace+25     00000004     0112c838     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+85b     00c0fbf0     00033f50     0112c28b    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f     00000000     00033f50     00033f50    
php5ts!execute+1b7     0112c298     00033f50     00000000    
php5ts!zend_execute_scripts+107     00000008     00033f50     00000000    
php5ts!php_execute_script+20d     00c0fec8     00033f50     ed13662e    
php!main+c0e     00000002     00032cc0     00032f38    
php!mainCRTStartup+e3     ed13662e     01c827f6     7ffd4000    
kernel32!RegisterWaitForInputIdle+49     00402c12     00000000     00000000
 [2007-11-16 11:55 UTC] jani@php.net
Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in /home/jani/t.php(8) : mbregex replace on line 1

Program received signal SIGSEGV, Segmentation fault.
0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 "/home/jani/src/php-5.3/Zend/zend_variables.h", __zend_lineno=35)
    at /home/jani/src/php-5.3/Zend/zend_variables.c:35
35                              CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt
#0  0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 "/home/jani/src/php-5.3/Zend/zend_variables.h", __zend_lineno=35)
    at /home/jani/src/php-5.3/Zend/zend_variables.c:35
#1  0x082ee134 in _zval_dtor (zvalue=0xbfe4782c, __zend_filename=0x85d6198 "/home/jani/src/php-5.3/Zend/zend_operators.c", __zend_lineno=599)
    at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#2  0x082eed13 in _convert_to_string (op=0xbfe4782c, __zend_filename=0x85858cc "/home/jani/src/php-5.3/ext/mbstring/php_mbregex.c", __zend_lineno=742)
    at /home/jani/src/php-5.3/Zend/zend_operators.c:599
#3  0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, options=0)
    at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742
#4  0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788
#5  0x0831ea96 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:194
#6  0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439
#7  0x0831e59a in execute (op_array=0x8ae2e7c) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:87
#8  0x082f76c6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139
#9  0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at /home/jani/src/php-5.3/main/main.c:2007
#10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1140

 [2007-11-16 12:29 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-11-16 19:14 UTC] yoy dot noneoff at dfgh dot net
the crash issue is  indeed gone but two new problems appear

I download the latest package, and I notice that now there is  2 errors raised

PHP Parse error 
and 
PHP Fatal  error

prob 1: the rest of script execution stop

I also think the PHP Fatal error is NOT required , in addition  its a security risk.

for example

mb_ereg_replace('ptr','<script>alert(\'are you sure\')</script>','text with ptr','e')


return:

PHP Parse error:  syntax error, unexpected '<' in test.php: mbregex replace on line 1

PHP Fatal error:  mb_ereg_replace(): Failed evaluating code: 
<script>alert('are you sure')</script> in test.php on line 3
 [2007-11-16 21:07 UTC] jani@php.net
Those are expected and unfortunate side-effects and happen also if you do same using pcre.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 06:02:27 2014 UTC