php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47689 crash with certain regular expression
Submitted: 2009-03-17 13:57 UTC Modified: 2011-09-29 13:34 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:4 (100.0%)
From: vrana@php.net Assigned: pajoye
Status: Not a bug Package: PCRE related
PHP Version: 5.*, 6CVS (2009-03-17) OS: win32 only
Private report: No CVE-ID:
 [2009-03-17 13:57 UTC] vrana@php.net
Description:
------------
Apache 2.2.11 crashes with PHP 5.2.9-1 on the following code. The same script run from CLI executes without crash.

Reproduce code:
---------------
<?php
$contents = '/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */';
// shortest possible example, omitting last line causes no crash

$contents = preg_replace('@/\\*(?:.|[\\n\\r])*?\\*/@', '', $contents);
?>


Expected result:
----------------
Empty string in $contents.

Actual result:
--------------
Apache crash.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-18 13:10 UTC] vrana@php.net
I've uploaded the backtrace analysis to http://www.vrana.cz/phpbug47689.zip
 [2009-03-18 23:16 UTC] felipe@php.net
Hi Jakub,
please check the pcre.backtrack_limit and pcre.recursion_limit value.
 [2009-03-19 10:22 UTC] vrana@php.net
Both configuration directives are on the default value 100000.

I've found out that with much longer input (600 lines) the script crashes also in CLI.

There's no crash in PHP 5.2.8, only PHP 5.2.9 is affected.
 [2009-04-10 15:15 UTC] nlopess@php.net
this is the usual stack problem.
Since we now use the stack for PCRE recursion on Windows, I think we could increase the stack size. The default (1 MB) is a little short..
Pierre: can you please increase the stack size on windows binaries to e.g. 8 MB? It's a matter of adding one parameter to the compile arguments.
More details at: http://msdn.microsoft.com/en-us/library/tdkhxaks(VS.71).aspx
 [2009-04-10 17:43 UTC] pajoye@php.net
Please try using 5.3.0 VC9 snapshots(ts or NTS): http://windows.php.net
 [2009-04-14 13:42 UTC] vrana@php.net
Same result with VC9 TS and 500 lines under CLI.
 [2009-04-14 13:52 UTC] pajoye@php.net
> Same result with VC9 TS and 500 lines under CLI.

500 lines? Not using the code you pasted here?
 [2009-04-14 13:56 UTC] vrana@php.net
Same result also with the code pasted here under Apache 2.2.
 [2009-04-25 17:37 UTC] jani@php.net
Pierre, Nuno already gave the solution..? :)
 [2009-05-21 20:25 UTC] pajoye@php.net
Only wondering which impact has this change, have to test first before to increase the stack.
 [2009-06-18 13:27 UTC] peter dot swietoslawski at me dot com
I'm experiencing similar crash on PHP 5.2.9-2, Apache 2.2.11, Vista 
SP2 
if I run simple code like:

<?php

  $content = '
  <!-- Book Navigation Start -->
  <div>
  <ul class="menu"><li class="collapsed first">Web Services</li>
  <li class="collapsed">Integration Tools</li>
  <li class="leaf">Developer Group</li>
  <li class="leaf last">Developer Forum</li>
  </ul>
    <div class="page-links clear-block">
        <a href="test/wws" class="page-next" title="Go to next page"> 
Web Services </a>
    </div>
  </div>
  <!-- Book Navigation End -->
  ';

  $pattern = '/<!-- Book Navigation Start -->((.|\s)+)<!-- Book 
Navigation End -->/i';

  preg_match($pattern, $content, $book_nav);
?>

However this works fine in PHP 5.2.8 and in CLI for 5.2.9-2.
 [2009-07-06 17:43 UTC] pajoye@php.net
That's not something we can change for apache. You can fix the problem by increasing the stack size for apache using the following command:

editbin /STACK:8000000 c:\apache22\bin\httpd.exe

Sadly this tool is not available as a standalone app but VC Express should have it.

Close (bogus) this bug as it is not something we can change in PHP. We can increase the stack at wish but it is apache dependent. FastCGI does not seem to have this problem (was not able to crash it).
 [2011-09-29 12:35 UTC] ferenczy at volny dot cz
Better way to alter Apache stack size is using the ThreadStackSize directive in the Apache's configuration file (httpd.conf). There is a description of the ThreadStackSize directive in Apache's documentation: http://httpd.apache.org/docs/2.2/mod/mpm_common.html#ThreadStackSize

So increase of Apache stack size might looks like this (lines from httpd.conf):

<IfModule mpm_winnt_module>
   ThreadStackSize 8*1024*1024
</IfModule>

It sets Apache stack size to 8 MB, so it's the same as a default value on Linux.
 [2011-09-29 13:34 UTC] pajoye@php.net
It would be nice to add that to both apache 2.2 configuration and pcre docs.
 [2013-05-25 12:13 UTC] djokodonev at gmail dot com
This should be added to the PCRE(preg_match etc..) documentation. It had me clules for a long time as of what it going on.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 18:01:53 2014 UTC