php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48501 Crash with preg_replace_callback
Submitted: 2009-06-08 21:33 UTC Modified: 2009-06-08 21:53 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: cobexer at gmail dot com Assigned:
Status: Closed Package: PCRE related
PHP Version: 5.2.9 OS: Linux/openSuSE 11.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cobexer at gmail dot com
New email:
PHP Version: OS:

 

 [2009-06-08 21:33 UTC] cobexer at gmail dot com
Description:
------------
when i tried to match nested patterns my apache2 with php crashed - however for similar inputs a very similar regular expression is in use and causes no problems... (but the crash seems to be related to the number of nesting levels)

Reproduce code:
---------------
<?php
	//long test string -> crash
	$match= "{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}";
	//shorter test string -> still crash, but if 1 remove the first nested {IF... it doesnt crash any more
	$match= "{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}";
	$reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us';
	$matches= array();
	function cback($t) { global $matches; $matches[]= $t; return '';}
	preg_replace_callback($reg, 'cback', $match);
	var_dump($matches);
?>

Expected result:
----------------
array with the mathes of the regExp correctly nested... but i was in the stage of designing the regular expression itself - at least i did not expect a crash...

Actual result:
--------------
Apache/2.2.10 (php loaded as module) error_log:
without 3rd party extensions:
[notice] child pid 11335 exit signal Segmentation fault (11)
with XDebug enabled:
[error] [client 127.0.0.1] ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker '127.0.0.1', file '/path/file.php')
when running php from the command line (no crash -> no backtrace):
$ php reproduce.php #same content as the code posted above!
array(2) {
  [0]=>
  *RECURSION*
  [1]=>
  *RECURSION*
}
ALERT - possible memory corruption detected - unknown Hashtable destructor (attacker 'REMOTE_ADDR not set', file 'unknown')


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-08 21:38 UTC] cobexer at gmail dot com
after submitting I found a similar bug ... #44214
but that one is closed and seems to be "fixed" since one year now...
 [2009-06-08 21:53 UTC] scottmac@php.net
This was only fixed in 5.3, I've now backported it to 5.2.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jul 11 22:01:24 2020 UTC