php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47907 Segmentation fault during many preg_matches
Submitted: 2009-04-06 13:02 UTC Modified: 2010-12-20 12:41 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: tafkad at web dot de Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.2.9 OS: Linux Debian Lenny
Private report: No CVE-ID: None
View Developer Edit
 [2009-04-06 13:02 UTC] tafkad at web dot de 
Description:
------------
I use a class(phpcc) to transform a searchstring into an SQL where clause. If it has many options like brackets or operators or if it is a very long string php ends in a segmentation fault. I've tested it with two php version 5.2.6 and 5.2.9. I use the cli version.

I've created a test script with a for loop that generates a simple searchstatement with 2000 searchterms. If I run this script it crash. When I'll decrase the amount of searchterms to 1000 it will run clean.

GDB shows preg_match as last execute, thats why I think there must be an error.

The script uses a very huge amount of memory(I've configured php.ini with 1024M).

php.ini changes from against default(debian)
max_execution_time = 30000 ; 30     ; Maximum execution time of each script, in seconds
max_input_time = 60000 ; 60 ; Maximum amount of time each script may spend parsing request data
;max_input_nesting_level = 64 ; Maximum input variable nesting level
memory_limit = 1024M ; 32M      ; Maximum amount of memory a script may consume (32MB)

Active modules (php -m)
[PHP Modules]
bcmath,bz2,calendar,ctype,curl,date,dba,dbase,dom,exif,ffmpeg,filter,ftp,gd,gettext,hash,iconv,json,libxml,mbstring,mime_magic,mysql,mysqli,ncurses,openssl,pcntl,pcre,PDO,pdo_mysql,posix,readline,Reflection,session,shmop,SimpleXML,soap,sockets,SPL,standard,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,wddx,xml,xmlreader,xmlwriter,zip,zlib

Reproduce code:
---------------
Code is to long.
Under http://paste.root-zone.info/debug.tar.gz is a dir with the class and an testscript.


Expected result:
----------------
Before the script can finish, php crashes.

Actual result:
--------------
#23 0x00000000004783db in match (eptr=0x0,
    ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x200000000 <Address 0x200000000 out of bounds>, offset_top=32767, md=0x0, ims=15, eptrb=0x47a157, flags=0, rdepth=0)
    at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:1184
#24 0x000000000047a157 in match (eptr=0x1 <Address 0x1 out of bounds>,
    ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x200000000 <Address 0x200000000 out of bounds>, offset_top=32767, md=0x0, ims=3, eptrb=0x4803f4, flags=0, rdepth=0)
    at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:714
#25 0x00000000004803f4 in match (eptr=0x2ed1fe5 "",
    ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x27c2b71e0 <Address 0x27c2b71e0 out of bounds>, offset_top=32767, md=0x0, ims=45889320, eptrb=0x481f97, flags=0, rdepth=0)
    at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:2035
#26 0x0000000000481f97 in php_pcre_exec (argument_re=0x10716821, extra_data=0x2ed2016, subject=0x20 <Address 0x20 out of bounds>, length=275843303, start_offset=0,
    options=275843304, offsets=0x488020, offsetcount=275614368) at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:4844
#27 0x0000000000488020 in php_pcre_match_impl (pce=0x107108e8, subject=0x5f390048662f <Address 0x5f390048662f out of bounds>, subject_len=0, return_value=0x10718550,
    subpats=0xc106f7fd0, global=0, use_flags=4753947, flags=0, start_offset=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/php_pcre.c:621
#28 0x0000000000488a1b in php_do_pcre_match (ht=3, return_value=0x106f7fd0, return_value_ptr=0x7fff7c2b31a0, this_ptr=0x7fff7c2b31b0, return_value_used=2083222224, global=0)
    at /usr/src/php5/source/php5-5.2.9/ext/pcre/php_pcre.c:513
#29 0x00000000006c01ad in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b7b60) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:200
#30 0x00000000006ac6a4 in execute (op_array=0x2be9420) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92
#31 0x00000000006bfabe in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b8410) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:234
#32 0x00000000006ac6a4 in execute (op_array=0x2bbd4e8) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92
#33 0x00000000006bfabe in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b9110) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:234
#34 0x00000000006ac6a4 in execute (op_array=0x2be08b8) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-10 15:07 UTC] nlopess@php.net 
It doesn't crash for me. It seems you need to increase the stack size (with ulimit -s).
 [2009-04-21 11:20 UTC] tafkad at web dot de 
Thank you, this seems to be the problem. I've tested it now with a larger size and it runs clean, but it helps not if the content that will be compiled is larger than yet. Is there anyway to get actual stack size and the limit in php, i've nothing found about it. Because I must stop the script before it runs into a segfault.
 [2010-12-20 12:41 UTC] jani@php.net
-Package: Tidy +Package: PCRE related
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 15:01:29 2024 UTC