|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50518 Apache/PHP5.3.1 causes stack overflow when executing preg_match_all
Submitted: 2009-12-18 15:58 UTC Modified: 2009-12-18 16:06 UTC
From: Ryan_Hollister at eloyalty dot net Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.3SVN-2009-12-18 (snap) OS: Windows XP 32bit
Private report: No CVE-ID: None
 [2009-12-18 15:58 UTC] Ryan_Hollister at eloyalty dot net
I have a regular expression that would not crash APACHE/PHP in PHP 5.2.8 but now that I have upgraded to PHP 5.3.1 it is unable to execute the code.

Clearly from the dump there is a stack overflow. My reason for pointing toward a bug is that 1) it executed fine in 5.2.8 and 2) It only fails on certain strings.

Some other notes:

1) It executes and completes fine if it is run command line.

2) If I set the PCRE.backtrack_limit = 1100 it will complete fine.

Certainly neither of these options are resolutions to my problem as I run a webserver using APACHE and I need the backtrack_limit to be much higher than 1100 bytes.

Reproduce code:
$Pattern = "/\b(?!((yellow mellow)|(help you)|(uh? -? ?huh)|(that('s| is) (ok|fine|back))))((?<!['-])(?!_TONES_)[\w'-]+( (?<!['-])(?!_TONES_)[\w'-]+)+) ?( \8)+[ \Z]/i";

//Below is a bad subject
$Subject = "hello and and and thank you Sam and for your protection would you mind seeking the last four digits of your Social Security number OK thank you very much a company that OK _TONES_ right OK is that all it says is that has any other type of message _TONES_ and and and right well what I can do is I can connect us with a member of our service team and then maybe they can take a look into and set a little bit of life here for us uh right now they it it does is all uh interrelated uh yes you know you were in points but the card I know I we do have a visa rewards number that give you if you ever want to check how many points he did have or see what you can do with those the two run shot that down okay it's one eight hundred for one nine here is the own here is he rock you know it's tried them Tony Pete DuPont holding for just a brief moment I'll connect us with our service came here my pleasure and make a row that they see a gun good have a account number five HP nine nine days three zero account for Angeles and then and found she said she's having difficulty using her card said never works which tries to use that and it had an ATM this one or maybe you some questions after the figure out what the problem might be sure she's a verifiable vaccination can the salmon per share your patients there I've connected you with Annika with their service team she's going to Piazza and my pleasure";

//Below is a good subject
//$Subject = "hello ryan ryan ryan for calling Merrill Lynch my name is Robert protest may have your name please have rightly its attention to see Alabama one streak to locate I'm I'm looking to use it is uh hum Merrill Lynch branched off to work in South Holland for world financial center well as an apprentice at eight p.m. and I went there to take a money out of my case I spoke to someone yesterday said I could take I catch that my money market account because liquid account but that whenever I I ever try to take a money and what it says can I complete this chance action that's all it says and then these intelligent kick out of my check and they said that there's no I know there's no money that machine that's why so that but and and OK also not know the quick western ideas that time is linked to my checking account it doesn't give viewpoints for anything is it wanted well just opened up a separate account for about you know you get points to it said plane ticket it's and and and and and OK well and and and it the and and to the OK and yeah please _TONES_ _TONES_ _TONES_ OK oh and and thank you so much right there and and _TONES_ _TONES_ _TONES_ thank you for calling Merrill Lynch this is any guide how math helped heal could hurt for years the in one minute now comes mean to speak with these authorization for women to take a look at the it's not very quickly as to whether or not that's something we need to do and then I can go ahead with worshipers their side OK great no problem and yes and OK thanks thank you so much offense and you can";

$Matches = array();
$MatchCount	= preg_match_all($Pattern, $Subject, $Matches, PREG_OFFSET_CAPTURE);
echo ($MatchCount);
echo (print_r($Matches, true));

Expected result:
I expect the "Bad Subject" to complete execution and return an empty array.

You can comment out the "Bad Subject" and try the "Good Subject" to see the proper execution of the regex.

NOTE: In the stack trace below I have removed a significant amount of the repeating traces in the middle.

Actual result:
Thread 57 - System ID 3896
Entry point	msvcrt!_endthreadex+3a	   
Create time	12/18/2009 9:48:32 AM	   
Time spent in user mode	0 Days 0:0:0.0	   
Time spent in kernel mode	0 Days 0:0:0.15	 

Function	Arg 1	Arg 2	Arg 3	Source	   
php5ts!match+6	022bd395	011a3768	022bcf47		   
php5ts!match+578a	022bd395	011a3763	022bcf47		   
php5ts!match+56ae	022bd395	011a37ca	022bcf47		   
php5ts!match+6b19	022bd38d	011a37ca	022bcf47		   
php5ts!match+578a	022bd38d	011a3763	022bcf47		   
php5ts!match+56ae	022bd38d	011a37ca	022bcf47		   
php5ts!match+6b19	022bd387	011a37ca	022bcf47		   
php5ts!match+578a	022bd387	011a3763	022bcf47		   
php5ts!match+56ae	022bd387	011a37ca	022bcf47		   
php5ts!match+6b19	022bd382	011a37ca	022bcf47		   
php5ts!match+578a	022bd382	011a3763	022bcf47		   
php5ts!match+56ae	022bd382	011a37ca	022bcf47		   
php5ts!match+6b19	022bd37b	011a37ca	022bcf47		   
php5ts!match+578a	022bd37b	011a3763	022bcf47		   
php5ts!match+56ae	022bd37b	011a37ca	022bcf47		   
php5ts!match+6b19	022bd376	011a37ca	022bcf47		   
php5ts!match+578a	022bd376	011a3763	022bcf47		   
php5ts!match+56ae	022bd376	011a37ca	022bcf47		   
php5ts!match+6b19	022bd372	011a37ca	022bcf47		   
php5ts!match+578a	022bd372	011a3763	022bcf47		   
php5ts!match+56ae	022bd372	011a37ca	022bcf47		   
php5ts!match+6b19	022bd368	011a37ca	022bcf47		   
php5ts!match+578a	022bd368	011a3763	022bcf47		   
php5ts!match+56ae	022bd368	011a37ca	022bcf47		   
php5ts!match+6b19	022bd363	011a37ca	022bcf47		   
php5ts!match+578a	022bd363	011a3763	022bcf47		   
php5ts!match+56ae	022bd363	011a37ca	022bcf47		   
php5ts!match+6b19	022bd35d	011a37ca	022bcf47		   
php5ts!match+578a	022bd35d	011a3763	022bcf47		   
php5ts!match+56ae	022bd35d	011a37ca	022bcf47		   
php5ts!match+6b19	022bd354	011a37ca	022bcf47		   
~~~~~~MANY REPEATS REMOVED HERE~~~~~~~	~~~~~~	~~~~~~	~~~~~~~		   
php5ts!match+6b19	022bcf58	011a37ca	022bcf47		   
php5ts!match+578a	022bcf58	011a3763	022bcf47		   
php5ts!match+56ae	022bcf58	011a37ca	022bcf47		   
php5ts!match+6b19	022bcf52	011a37ca	022bcf47		   
php5ts!match+578a	022bcf52	011a3763	022bcf47		   
php5ts!match+56ae	022bcf52	011a37ca	022bcf47		   
php5ts!match+6b19	022bcf4e	011a37ca	022bcf47		   
php5ts!match+578a	022bcf4e	011a3763	022bcf47		   
php5ts!match+56ae	022bcf4e	011a37ca	022bcf47		   
php5ts!match+6b19	022bcf4a	011a37ca	022bcf47		   
php5ts!match+578a	022bcf4a	011a3763	022bcf47		   
php5ts!match+6b19	022bcf47	011a3763	022bcf47		   
php5ts!match+578a	022bcf47	011a36fe	022bcf47		   
php5ts!php_pcre_exec+a64	011a3620	0206fa98	022bce48		   
php5ts!php_pcre_match_impl+250	011a3838	022bce48	00000578		   
php5ts!php_do_pcre_match+db	00000578	022bd448	00000000		   
php5ts!zif_preg_match_all+25	00000004	022bd448	00000000		   
php5ts!zend_do_fcall_common_helper_SPEC+94e	00000000	022f0080	0111eb18		   
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+130	0206fbf8	0111eb18	0206fe74		   
php5ts!execute+2fb	022f0080	0111eb00	00000000		   
php5ts!zend_execute_scripts+f6	00000008	0111eb18	00000000		   
php5ts!php_execute_script+245	0206fe74	0111eb18	00000005		   
php5apache2_2!php_handler+5d0	01116b58	0072da80	01116b58		   
libhttpd!ap_run_handler+21	01116b58	01116b58	01116b58		   
libhttpd!ap_invoke_handler+ae	00000000	01111b00	0206ff38		   
libhttpd!ap_die+29e	01116b58	00000000	0072e1d0		   
libhttpd!ap_get_request_note+1c9c	01111b00	01111b00	01111b00		   
libhttpd!ap_run_process_connection+21	01111b00	00674e50	0206ff80		   
libhttpd!ap_process_connection+33	01111b00	0110aad0	00ec0040		   
libhttpd!ap_regkey_value_remove+c7c	01111af8	00ec0040	00e80000		   
msvcrt!_endthreadex+a9	011086f8	00ec0040	00e80000		   
kernel32!BaseThreadStart+37	77c3a341	011086f8	00000000		 

PHP5TS!MATCH+6In httpd__PID__4032__Date__12_18_2009__Time_09_49_29AM__241__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!match+6 in C:\Program Files\PHP53\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x02032f2c on thread 57


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-18 16:06 UTC]
Not a php problem. See bug #47689 about how to "fix" apache.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 10:01:27 2024 UTC