php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51238 Segfault with preg_replace
Submitted: 2010-03-08 18:01 UTC Modified: 2010-03-09 00:53 UTC
From: odoucet@php.net Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.2 OS: all
Private report: No CVE-ID: None
 [2010-03-08 18:01 UTC] odoucet@php.net
Description:
------------
You can make a segfault with a particular regexp (that appears to be used in Mysqli, or in Zend Framework at least).

This bug appears on : 
PHP 5.3.2
PHP 5.2.10
PHP 4

with internal pcrelib of course.


NOTE:
I cannot reproduce this bug everytime. Once in a while, the segfault is not triggered (weird ...).

NOTE 2:
Same bug (segfault) with preg_match or preg_match_all


Test script:
---------------
<?php

preg_replace("/'(\\\\'|\\\\{2}|[^'])*'/", 
   '', 
   "'".str_repeat("a", 50000)
);

// Note : the bug can be triggered with str_repeat('a', 5000) also.
// Longer the string is, more chance you have to trigger the segfault


Expected result:
----------------
working code :)

Actual result:
--------------
Segmentation fault


match (eptr=0xb750b3b7 'a' <repeats 200 times>..., ecode=0x8dcd78e "_", mstart=0xb7508c64 "'", 'a' <repeats 199 times>..., offset_top=4,
    md=0xbfdced54, ims=0, eptrb=0x0, flags=0, rdepth=20133) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:454
454     {

#0  match (eptr=0xb750b3b7 'a' <repeats 200 times>..., ecode=0x8dcd78e "_", mstart=0xb7508c64 "'", 'a' <repeats 199 times>..., offset_top=4,
    md=0xbfdced54, ims=0, eptrb=0x0, flags=0, rdepth=20133) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:454
#1  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#2  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#3  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#4  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#5  0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#6  0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734


[ ... snip because backtrace shows what appears to be a loop ... ]

#20131 0x080ebc9a in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1533
#20132 0x080e78f4 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:734
#20133 0x080e7df8 in match (eptr=Variable "eptr" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:1395
#20134 0x080f235a in php_pcre_exec (argument_re=0x8dcd760, extra_data=0xbfdceef4, subject=0xb7508c64 "'", 'a' <repeats 199 times>...,
    length=50001, start_offset=0, options=Variable "options" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/pcrelib/pcre_exec.c:5641
#20135 0x080f62a9 in php_pcre_replace_impl (pce=0x8dcd8f8, subject=0xb7508c64 "'", 'a' <repeats 199 times>..., subject_len=50001,
    replace_val=0xb74fad54, is_callable_replace=0, result_len=0xbfdcf088, limit=-1, replace_count=0xbfdcf074)
    at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1040

#20136 0x080f6fc5 in php_pcre_replace (regex=0xb74fb284 "/'(\\\\'|\\\\{2}|[^'])*'/", regex_len=21,
    subject=0xb7508c64 "'", 'a' <repeats 199 times>..., subject_len=50001, replace_val=0xb74fad54, is_callable_replace=0, result_len=0xbfdcf088,
    limit=-1, replace_count=0xbfdcf074) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:950
#20137 0x080f7542 in php_replace_in_subject (regex=0xb74fad70, replace=Variable "replace" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1267
#20138 0x080f7bb6 in preg_replace_impl (ht=Variable "ht" is not available.
) at /usr/src/php/php-5.3.2/ext/pcre/php_pcre.c:1365




#20139 0x084b3c81 in zend_do_fcall_common_helper_SPEC (execute_data=0xb7470028) at zend_vm_execute.h:313
#20140 0x084acf86 in execute (op_array=0xb74fb1ec) at zend_vm_execute.h:104
#20141 0x08484fe6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php/php-5.3.2/Zend/zend.c:1194
#20142 0x0842c036 in php_execute_script (primary_file=0xbfdd16f4) at /usr/src/php/php-5.3.2/main/main.c:2260
#20143 0x085157e8 in main (argc=2, argv=0xbfdd1854) at /usr/src/php/php-5.3.2/sapi/cli/php_cli.c:1192




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-09 00:53 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2010-03-09 00:53 UTC] felipe@php.net
This is due a known PCRE issue.
http://man.he.net/man3/pcrestack

Not a PHP bug. Thanks.
 [2010-04-27 15:15 UTC] ap at jusmeum dot de
We have a similar segfault from time to time when using the PCRE functions. I tried setting ulimit -s to insanely high values with no effect on the frequency of the bug and it just happens with PHP 5.3.2 and no older versions. Anything else I can try?
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu May 19 12:05:44 2022 UTC