php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45368 preg_replace_callback to non-existing function + custom errorhandler segfaults
Submitted: 2008-06-26 13:49 UTC Modified: 2008-08-16 01:00 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: Sjon at react dot com Assigned:
Status: No Feedback Package: PCRE related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Sjon at react dot com
New email:
PHP Version: OS:

 

 [2008-06-26 13:49 UTC] Sjon at react dot com
Description:
------------
I have been working many hours to strip a 15000+ lines crashing script to a short and reproducible crash; so here it is. Unfortunately the code is still quite long, but anything I change will fix it, including the non-used function arguments. This code (still) crashes in php5.2-200806261230; so I hope someone might be able to fix this.

I know that the cause of the problem is that e->f calls a non-existing callback function ('e', 'x');

Reproduce code:
---------------
The bug can only be reproduced by downloading both http://home.parse.nl/~sjon/bug-reports/php/waa.txt and http://home.parse.nl/~sjon/bug-reports/php/meukee.php ; rename them both to .php and run 'waa.php'

Expected result:
----------------
Just the error 'preg_replace_callback(): Requires argument 2, 'e::x', to be a valid callback'

Actual result:
--------------
#0  0x080aa31a in preg_replace_impl (ht=3, return_value=0x895a888, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    is_callable_replace=1 '\001')
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1283
#1  0x080aaa08 in zif_preg_replace_callback (ht=3, return_value=0x895a888, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1355
#2  0x0832fb58 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9768d8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#3  0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbf9768d8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#4  0x0832f6d8 in execute (op_array=0x895bdd8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#5  0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976a78)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#6  0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976a78)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#7  0x0832f6d8 in execute (op_array=0x895b9e8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#8  0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976c38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#9  0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976c38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#10 0x0832f6d8 in execute (op_array=0x895fde8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#11 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf976da8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#12 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf976da8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#13 0x0832f6d8 in execute (op_array=0x8958be4)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#14 0x082fe232 in zend_eval_string (str=0x8956c2c "$this->h('waa? meukee!');", 
    retval_ptr=0xbf976ea4, 
    string_name=0x8958b18 "/mnt/serve-a-lot/sjon/public_html/meukee.php(91) : regexp code") at /tmp/php5.2-200806261230/Zend/zend_execute_API.c:1195
#15 0x080a902e in preg_do_eval (eval_str=0x89589bc "$this->h('$0');", 
    eval_str_len=15, subject=0x8958aa4 "waa? meukee!", offsets=0x8958ae0, 
    count=1, result=0xbf976f28)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:899
#16 0x080a950c in php_pcre_replace_impl (pce=0x8989e08, 
    subject=0x8958aa4 "waa? meukee!", subject_len=12, replace_val=0x8958980, 
    is_callable_replace=0, result_len=0xbf9770b4, limit=-1, replace_count=0x0)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1031
#17 0x080a91fe in php_pcre_replace (regex=0x8958a34 "/.+/se", regex_len=6, 
    subject=0x8958aa4 "waa? meukee!", subject_len=12, replace_val=0x8958980, 
    is_callable_replace=0, result_len=0xbf9770b4, limit=-1, replace_count=0x0)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:933
#18 0x080aa017 in php_replace_in_subject (regex=0x89589f8, replace=0x8958980, 
    subject=0x89484dc, result_len=0xbf9770b4, limit=-1, 
    is_callable_replace=0 '\0', replace_count=0x0)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1233
#19 0x080aa92f in preg_replace_impl (ht=3, return_value=0x8958944, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, 
    is_callable_replace=0 '\0')
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1331
#20 0x080aa9d1 in zif_preg_replace (ht=3, return_value=0x8958944, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /tmp/php5.2-200806261230/ext/pcre/php_pcre.c:1347
#21 0x0832fb58 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977398)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:200
#22 0x0833535a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbf977398)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:1679
#23 0x0832f6d8 in execute (op_array=0x895f64c)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#24 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977628)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#25 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977628)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#26 0x0832f6d8 in execute (op_array=0x895f64c)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#27 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf9777a8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#28 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf9777a8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#29 0x0832f6d8 in execute (op_array=0x895ea98)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#30 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977918)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#31 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977918)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#32 0x0832f6d8 in execute (op_array=0x895e888)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#33 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977af8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#34 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977af8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#35 0x0832f6d8 in execute (op_array=0x895c1f4)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#36 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977c88)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#37 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977c88)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
---Type <return> to continue, or q <return> to quit---
#38 0x0832f6d8 in execute (op_array=0x895ec08)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#39 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf977e38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#40 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf977e38)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#41 0x0832f6d8 in execute (op_array=0x895df68)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#42 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf978038)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#43 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf978038)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#44 0x0832f6d8 in execute (op_array=0x895b708)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#45 0x0832fcc7 in zend_do_fcall_common_helper_SPEC (execute_data=0xbf978218)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:234
#46 0x08330777 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0xbf978218)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:322
#47 0x0832f6d8 in execute (op_array=0x89561b8)
    at /tmp/php5.2-200806261230/Zend/zend_vm_execute.h:92
#48 0x0830ab2a in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /tmp/php5.2-200806261230/Zend/zend.c:1134
#49 0x082ba6d4 in php_execute_script (primary_file=0xbf97a5a0)
---Type <return> to continue, or q <return> to quit---
    at /tmp/php5.2-200806261230/main/main.c:2007
#50 0x083859cf in main (argc=2, argv=0xbf97a6e4)
    at /tmp/php5.2-200806261230/sapi/cli/php_cli.c:1140


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-26 14:51 UTC] sjon at react dot com
The correct URL is not http://home.parse.nl/~sjon/bug-reports/php/meukee.php but http://home.parse.nl/~sjon/bug-reports/php/meukee.txt
 [2008-06-26 14:58 UTC] felipe@php.net
Reproduced in PHP 5.2.7-dev (cli) (built: Jun  6 2008 12:12:11) 

5.3 and HEAD are OK.
 [2008-08-03 14:27 UTC] Sjon at react dot com
I have tried to reproduce this bug with php5.3-200808031230; and the script (still, as already tested by felipe@php.net) doesn't crash and behaves as expected.
 [2008-08-09 00:22 UTC] jani@php.net
Please try http://snaps.php.net/php5.2-latest.tar.gz as some PCRE patche
s were backported from PHP 5.3 yesterday.
 [2008-08-16 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 08:01:27 2024 UTC