php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53099 mb_ereg_replace uses 100% cpu and takes >10 minutes to execute.
Submitted: 2010-10-18 17:28 UTC Modified: 2016-08-20 15:24 UTC
Votes:4
Avg. Score:3.2 ± 0.4
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:0 (0.0%)
From: phpnet at rcpt dot at Assigned: cmb (profile)
Status: Not a bug Package: mbstring related
PHP Version: 5.3.3 OS: Ubuntu 9.10
Private report: No CVE-ID: None
View Developer Edit
 [2010-10-18 17:28 UTC] phpnet at rcpt dot at 
Description:
------------
I have written a mb_trim function in php which uses ereg_replace to trim strings in the same manner as trim() does.

The function is available at http://php.net/manual/en/ref.mbstring.php
Under the heading 'phpnet at rcpt dot at - 19-Aug-2010 02:46'

Using the string excerpt from our production environment (http://pastebin.com/wmyjPmBV), ereg_replace appears to enter some sort of recursive loop, in my environment it takes 100% cpu for 20 minutes before finally returning the correct result.

When the section which reads: array( "\s","\t","\n","\r", "\0", "\x0B" )

...is changed to array( "\s", "\0", "\x0B" ) then ereg_replace returns promptly with the correct result.



Test script:
---------------
The function is available at http://php.net/manual/en/ref.mbstring.php
Under the heading 'phpnet at rcpt dot at - 19-Aug-2010 02:46'

It is also available here:
http://pastebin.com/CCpaVXay

The (serialized) string that causes the problem is:
s:488:"<I>Swans	</I>																						Wisely moving from the middle of July to the middle of autumn, this indoor, forward-thinking avant-rock weekend brings together all sorts of fiercely experimental noisemakers, from psychedelic-folk to death metal, with a hotly anticipated headline set from Michael Gira's New York noise inspiration Swans. Don't expect many stony-faced rock nerds, though. The organisers serve tea and cake throughout and they're promising other fun and games this year.";


It is also available for download here:
http://pastebin.com/wmyjPmBV

You can execute the script with the following syntax:
<?php mb_trim( $string );

Expected result:
----------------
PHP will return the correct result quickly.

Actual result:
--------------
PHP will run at 100% CPU for 20 minutes.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-18 22:32 UTC] felipe@php.net
-Package: Regexps related +Package: mbstring related
 [2010-10-18 22:32 UTC] felipe@php.net 
s/ereg_replace/mb_ereg_replace/g :)
 [2010-10-18 22:38 UTC] felipe@php.net
-Summary: ereg_replace uses 100% cpu and takes >10 minutes to execute. +Summary: mb_ereg_replace uses 100% cpu and takes >10 minutes to execute.
 [2010-10-19 12:52 UTC] phpnet at rcpt dot at 
Thanks felipe, sorry about that; to avoid confusion, I mean 'mb_ereg_replace' not 'ereg_replace'.
 [2010-11-07 14:52 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
 [2016-07-30 11:34 UTC] cmb@php.net 
Related To: Bug #60664
 [2016-07-30 13:06 UTC] ju1ius at laposte dot net 
This is not a bug, this is catastrophic backtracking.
http://www.regular-expressions.info/catastrophic.html

The second pattern in your function is problematic:
`(\s|\t|\n\r)*$`
All regexps engines will choke on that.
 [2016-08-20 15:24 UTC] cmb@php.net
-Status: Assigned +Status: Not a bug -Assigned To: moriyoshi +Assigned To: cmb
 [2016-08-20 15:24 UTC] cmb@php.net 
> The second pattern in your function is problematic:
> `(\s|\t|\n\r)*$`

Indeed. Request #72777 appears to be helpful in this regard.
 [2016-09-01 11:11 UTC] yohgaki@php.net 
Related To: Bug #72777
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 16:01:33 2024 UTC