PHP :: Bug #47811 :: preg_match that can cause segmentation fault

Bug #47811

preg_match that can cause segmentation fault

Submitted:

2009-03-27 17:26 UTC

Modified:

2009-04-14 20:56 UTC

Votes:	13
Avg. Score:	4.9 ± 0.3
Reproduced:	12 of 12 (100.0%)
Same Version:	9 (75.0%)
Same OS:	3 (25.0%)

From:

travis at wikihow dot com

Assigned:

nlopess (profile)

Status:

Not a bug

Package:

Reproducible crash

PHP Version:

5.2.9

OS:

CentOS release 4.4 & Mac OS 10.4

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2009-03-27 17:26 UTC] travis at wikihow dot com

Description:
------------
Run a preg_match with source text attached and get a seg fault. Apache 2.2 / PHP 5.2.9 and PHP 5.2.4. 

preg_match('@<object(.|\n)*</object>@im', $text, $matches);




Reproduce code:
---------------
http://wikidiy.com/php_bug_crash.txt

Expected result:
----------------
Apache not supposed to crash, completes preg_match, dumps $matches array.

Actual result:
--------------
Apache seg faults

[Fri Mar 27 12:16:05 2009] [notice] child pid 6391 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-03-27 23:53 UTC] dennis dot birkholz at nexxes dot net

I have a similar segfault testcase for preg_match. It always crashes at a stringlength of around 6700. PHP is 5.2.8 on gentoo linux.

# Create my test-string
for ($i=0; $i<20000; $i++) {
	$string .= 'a';
}

# The pattern matches for \\, \", everything except " and "
$pattern = '/^(\\\\|\\"|[^"]|")+$/';

print "Trying with string length " . "\033" . '[s';

for ($counter=6600; $counter<strlen($string); $counter++) {
	if (preg_match($pattern, substr($string,0,$counter), $matches)) {
		print "\033" . '[u' . $counter . '...';
		flush();
		
		list($dummy, $aa) = $matches;
	}
}
print "\n";

[2009-03-30 11:24 UTC] scope at planetavent dot de

Here's another snippet:

<?php

$s = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";

$pattern = "@(X)*@";

$return = preg_match( $pattern, $s );

echo $return;

?>

This one crashes apache 2.2.8 and 2.2.11 with php-5.2.9 and php-5.2.9-1 on windows 2003.

[2009-03-30 12:22 UTC] pajoye@php.net

Nuno, can you take a look please? Can reproduce it here too.

[2009-04-02 12:27 UTC] Phil dot H at gmx dot net

Another php preg_match crash using php 5.2.9-1 on Windows XP and 2003R2:

<?php
$string    = str_repeat('blub ', 100000);
$regexp = '/ \G (?P<text> (?:.(?!\[% ))*.(?=\[%| $))/isx';

if (preg_match($regexp, $string, $aMatches, PREG_OFFSET_CAPTURE, 0)) {
	echo "matched\n";
}
echo "finished";
?>

[2009-04-02 12:39 UTC] felipe@php.net

This stack overflow is expected. See the earlies bug reports.

[2009-04-14 20:56 UTC] nlopess@php.net

Felipe is right. This is not a bug, just the expected stack overflow. You can "fix" the problem by increasing the stack size.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 19:01:28 2024 UTC