php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45368 preg_replace_callback to non-existing function + custom errorhandler segfaults
Submitted: 2008-06-26 13:49 UTC Modified: 2008-08-16 01:00 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: Sjon at react dot com Assigned:
Status: No Feedback Package: PCRE related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2008-06-26 13:49 UTC] Sjon at react dot com 
Description:
------------
I have been working many hours to strip a 15000+ lines crashing script to a short and reproducible crash; so here it is. Unfortunately the code is still quite long, but anything I change will fix it, including the non-used function arguments. This code (still) crashes in php5.2-200806261230; so I hope someone might be able to fix this.

I know that the cause of the problem is that e->f calls a non-existing callback function ('e', 'x');

Reproduce code:
---------------
The bug can only be reproduced by downloading both http://home.parse.nl/~sjon/bug-reports/php/waa.txt and http://home.parse.nl/~sjon/bug-reports/php/meukee.php ; rename them both to .php and run 'waa.php'

Expected result:
----------------
Just the error 'preg_replace_callback(): Requires argument 2, 'e::x', to be a valid callback'

Actual result:
--------------
#0  0x080aa31a in preg_replace_impl (ht=3, return_value=0x895a888, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    is_callable_replace=1 '\001')
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1283
#1  0x080aaa08 in zif_preg_replace_callback (ht=3, return_value=0x895a888, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1355
#2  0x0832fb58 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9768d8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#3  0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbf9768d8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#4  0x0832f6d8 in execute (op_array=0x895bdd8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#5  0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976a78)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#6  0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976a78)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#7  0x0832f6d8 in execute (op_array=0x895b9e8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#8  0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976c38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#9  0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976c38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#10 0x0832f6d8 in execute (op_array=0x895fde8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#11 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976da8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#12 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976da8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#13 0x0832f6d8 in execute (op_array=0x8958be4)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#14 0x082fe232 in zend_eval_string (str=0x8956c2c "$this->h('waa? meukee!');", 
    retval_ptr=0xbf976ea4, 
    string_name=0x8958b18 "/mnt/serve-a-lot/sjon/public_html/meukee.php(91) : regexp code") at /tmp/php5.2-200806261230/Zend/zend_execute_API.c:1195
#15 0x080a902e in preg_do_eval (eval_str=0x89589bc "$this->h('$0');", 
    eval_str_len=15, subject=0x8958aa4 "waa? meukee!", offsets=0x8958ae0, 
    count=1, result=0xbf976f28)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:899
#16 0x080a950c in php_pcre_replace_impl (pce=0x8989e08, 
    subject=0x8958aa4 "waa? meukee!", subject_len=12, replace_val=0x8958980, 
    is_callable_replace=0, result_len=0xbf9770b4, limit=-1, replace_count=0x0)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1031
#17 0x080a91fe in php_pcre_replace (regex=0x8958a34 "/.+/se", regex_len=6, 
    subject=0x8958aa4 "waa? meukee!", subject_len=12, replace_val=0x8958980, 
    is_callable_replace=0, result_len=0xbf9770b4, limit=-1, replace_count=0x0)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:933
#18 0x080aa017 in php_replace_in_subject (regex=0x89589f8, replace=0x8958980, 
    subject=0x89484dc, result_len=0xbf9770b4, limit=-1, 
    is_callable_replace=0 '\0', replace_count=0x0)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1233
#19 0x080aa92f in preg_replace_impl (ht=3, return_value=0x8958944, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    is_callable_replace=0 '\0')
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1331
#20 0x080aa9d1 in zif_preg_replace (ht=3, return_value=0x8958944, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1347
#21 0x0832fb58 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977398)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#22 0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbf977398)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#23 0x0832f6d8 in execute (op_array=0x895f64c)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#24 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977628)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#25 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977628)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#26 0x0832f6d8 in execute (op_array=0x895f64c)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#27 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9777a8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#28 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf9777a8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#29 0x0832f6d8 in execute (op_array=0x895ea98)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#30 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977918)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#31 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977918)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#32 0x0832f6d8 in execute (op_array=0x895e888)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#33 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977af8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#34 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977af8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#35 0x0832f6d8 in execute (op_array=0x895c1f4)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#36 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977c88)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#37 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977c88)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#38 0x0832f6d8 in execute (op_array=0x895ec08)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#39 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977e38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#40 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977e38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#41 0x0832f6d8 in execute (op_array=0x895df68)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#42 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf978038)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#43 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf978038)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#44 0x0832f6d8 in execute (op_array=0x895b708)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#45 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf978218)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#46 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf978218)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#47 0x0832f6d8 in execute (op_array=0x89561b8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#48 0x0830ab2a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php5.2-200806261230/Zend/zend.c:1134
#49 0x082ba6d4 in php_execute_script (primary_file=0xbf97a5a0)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/main/main.c:2007
#50 0x083859cf in main (argc=2, argv=0xbf97a6e4)
    at /tmp/php5.2-200806261230/sapi/cli/php_cli.c:1140

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-26 14:51 UTC] sjon at react dot com 
The correct URL is not http://home.parse.nl/~sjon/bug-reports/php/meukee.php but http://home.parse.nl/~sjon/bug-reports/php/meukee.txt
 [2008-06-26 14:58 UTC] felipe@php.net 
Reproduced in PHP 5.2.7-dev (cli) (built: Jun  6 2008 12:12:11) 

5.3 and HEAD are OK.
 [2008-08-03 14:27 UTC] Sjon at react dot com 
I have tried to reproduce this bug with php5.3-200808031230; and the script (still, as already tested by felipe@php.net) doesn't crash and behaves as expected.
 [2008-08-09 00:22 UTC] jani@php.net 
Please try http://snaps.php.net/php5.2-latest.tar.gz as some PCRE patche
s were backported from PHP 5.3 yesterday.
 [2008-08-16 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 03:01:30 2025 UTC