php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52818 PCRE segfault
Submitted: 2010-09-12 00:48 UTC Modified: 2010-09-14 17:45 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: svimik at mail dot ru Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.3.3 OS: Debian-50-lenny-64
Private report: No CVE-ID: None
 [2010-09-12 00:48 UTC] svimik at mail dot ru
Description:
------------
My phpinfo:
http://188.40.74.4/_phpinfo.php

My hardware configuration:
http://www.hetzner.de/en/hosting/produkte_rootserver/eq4/

Test condition:
Run the script below in console (via SSH in my case).

Result:
Segmentation fault

Note: the regular expression may look senseless, because it was shortened to the minimun length for reproducing the bug.

Bug is reproducible on php 5.2.6, 5.2.9, 5.2.12 and 5.3.2. (Sorry, can't test on the latest version, waiting for someone to confirm the bug on 5.3.3).
Sorry, can't make a backtrace on a production server, because it is necessary to recompile the php.

In Windows this script works well.

Test script:
---------------
$str="<script>".str_repeat(".", 7000); //at least 6378 bytes (or more)
$str=preg_replace("/<script>((?!qqqq).)*/", "", $str);

Expected result:
----------------
Not a Segmentation fault :)

Actual result:
--------------
Debian-50-lenny-64-LAMP:/home/httpd# php -f segf.php
Segmentation fault
Debian-50-lenny-64-LAMP:/home/httpd#

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-12 00:57 UTC] svimik at mail dot ru
Tested versions:
------------------------
PHP 5.3.2-2 with Suhosin-Patch (cli) (built: Jul 19 2010 01:22:58)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with XCache v1.3.0, Copyright (c) 2005-2009, by mOo

PHP 5.2.12-2 with Suhosin-Patch 0.9.7 (cli) (built: Jan 11 2010 16:51:28)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    with XCache v1.3.0, Copyright (c) 2005-2009, by mOo

PHP 5.2.9 (cli) (built: Mar 31 2009 23:21:47)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

PHP 5.2.6-1+lenny8 with Suhosin-Patch 0.9.6.2 (cli) (built: Mar 14 2010 08:14:04)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies
 [2010-09-12 02:35 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2010-09-12 02:35 UTC] pajoye@php.net
What's your pcre recursion limit setting? Also it looks like a stack issue to me.

In any case, please provide a backtrace, without any patch or random extension (suhoshin or whatever else).
 [2010-09-12 11:35 UTC] svimik at mail dot ru
-Status: Feedback +Status: Open
 [2010-09-12 11:35 UTC] svimik at mail dot ru
Thanks to pajoye, the problem was solved by reducing recursion limit.
pcre.recursion_limit was default value (100000), and only reducing to 10000 solved the problem.

The only question is: is default value of pcre.recursion_limit too high? And should it work?
 [2010-09-14 13:09 UTC] aharvey@php.net
-Status: Open +Status: Bogus
 [2010-09-14 13:09 UTC] aharvey@php.net
I can replicate this on a stock trunk build, and it is (as usual) a simple stack overflow.

Closing.
 [2010-09-14 16:27 UTC] svimik at mail dot ru
Why stack overflow is not a bug?
 [2010-09-14 17:06 UTC] pajoye@php.net
Because it depends on your apache builds and configurations.

You can increase both using php.ini and with some tools on unix (don't remember which, but there is other reports about how to do it here). In any case, that's not something we can fix.
 [2010-09-14 17:32 UTC] svimik at mail dot ru
>Because it depends on your apache builds
As I said, I'm NOT using Apache, I run this script directly in console, by "php -f file.php" command.

>In any case, that's not something we can fix.
Why is not possible to catch this error?
 [2010-09-14 17:45 UTC] pajoye@php.net
It does not matter if you use apache or not, same cause, same solution. I mentioned apache as an example.
 [2013-06-08 17:22 UTC] eugenia at linux dot com
change the pcre.recursion_limit directive prevents a stack overflow but not 
correct the problem with preg_match.

After the change, the preg_match function not find a coincidence in the same 
context (maybe because it stops the recursion) but finds a coincidence in a 
reduced context.

So, why do you think is not a bug? Give me an exact explanation, tell me how I 
can solving this problem and I will tell you that it's not a bug. But now, is a 
bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 07:01:30 2024 UTC