php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53953 preg_replace overflow segfault
Submitted: 2011-02-07 23:15 UTC Modified: 2011-02-08 04:01 UTC
From: msn at searchy dot nl Assigned:
Status: Duplicate Package: PCRE related
PHP Version: 5.3.5 OS: Linux
Private report: No CVE-ID: None
 [2011-02-07 23:15 UTC] msn at searchy dot nl
Description:
------------
When preg_replace'ing a pattern which occurs a lot in a subject, php will SIGSEGV. With the test script php fails at Iteration 2236. It seems only to occur with a pattern like '(x)+'. Where X can be anything.

FreeBSD (8.1) has no issues with the test script. 

I found a relevant bug: http://bugs.php.net/bug.php?id=36507 , but I find it akward the internal pcre library still has the bug.

Test script:
---------------
<?php
$string = "";
$newstring = "";
for ($i=0;$i<10240;$i++) {
	echo "Iteration $i\n";
	$string .= 'x';
	$newstring = $string;
	$newstring = preg_replace("/(x)+/","",$newstring);
	echo "$string - $newstring \n";
}
?>


Expected result:
----------------
Run to inifity and beyond as long as the loop loops.

Actual result:
--------------
A snippet of the backtrace:
#0  match (eptr=0x8b61e49 "", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4474) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:627
#1  0x080c8469 in match (eptr=0x8b61e49 "", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4473)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623
#2  0x080c6793 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4472)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803
#3  0x080c8469 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4471)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623

--snip--
#4473 0x080c8469 in match (eptr=0x8b6158d 'x' <repeats 200 times>..., ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=1)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623
#4474 0x080c6793 in match (eptr=0x8b6158c 'x' <repeats 200 times>..., ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=2, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=0)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803
#4475 0x080d8dbe in php_pcre_exec (argument_re=0x8b8ae88, extra_data=0xbfde5f64, subject=0x8b6158c 'x' <repeats 200 times>..., length=2237, start_offset=0, options=0, offsets=0x8b5b48c, offsetcount=6)
    at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:6064
#4476 0x080def1d in php_pcre_replace_impl (pce=0x8bcb0a8, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, replace_count=0xbfde6144)
    at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1052
#4477 0x080ded1d in php_pcre_replace (regex=0x8b5f028 "/(x)+/", regex_len=6, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, 
    replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:962
#4478 0x080dfa5c in php_replace_in_subject (regex=0x8b5f104, replace=0x8b5ef54, subject=0x8b8b16c, result_len=0xbfde6158, limit=-1, is_callable_replace=0, replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1279
#4479 0x080e0447 in preg_replace_impl (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, is_callable_replace=0, is_filter=0) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1377
#4480 0x080e052d in zif_preg_replace (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1397
#4481 0x084afafb in zend_do_fcall_common_helper_SPEC (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:316
#4482 0x084b4537 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:1606
#4483 0x084aef98 in execute (op_array=0x8b5e2c8) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:107
#4484 0x08487c63 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/compile/php-5.3.5/Zend/zend.c:1194
#4485 0x084272f3 in php_execute_script (primary_file=0xbfde86d4) at /root/compile/php-5.3.5/main/main.c:2265
#4486 0x08547ba6 in main (argc=2, argv=0xbfde8834) at /root/compile/php-5.3.5/sapi/cli/php_cli.c:1193


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-08 04:01 UTC] aharvey@php.net
-Status: Open +Status: Duplicate
 [2011-02-08 04:01 UTC] aharvey@php.net
Duplicate of many bugs, including bug #52818.

For what it's worth, I actually agree with you that this shouldn't
crash, but this continues to be expected behaviour by most PHP
developers.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC