|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61213 PCRE - Stack Overflow due to unlimited recursions in preg_match() crashing php5
Submitted: 2012-02-29 20:59 UTC Modified: 2012-03-01 07:12 UTC
From: mccool at gmx dot ch Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.10 OS: win32 (vista x86)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mccool at gmx dot ch
New email:
PHP Version: OS:


 [2012-02-29 20:59 UTC] mccool at gmx dot ch
stack overflow in php5ts.dll

Unhandled exception at 0x60b7b0b3 (php5ts.dll) in httpd.exe: 0xC00000FD: Stack overflow.
module: php5ts.dll

affected php versions: 5.3.8/5.3.9/5.3.10 (win32)
src: ./ext/pcre/php_pcre.c:497
     ./ext/pcre/pcre_exec.c:649  (position on stack overflow, random since this is a stack overflow)

btw. yes i know i can set pcre.recursion_limit. this might fix the symptoms but not the problem. php crashes even with pcre.recursion_limit=650. for example other projects do not crash on maxed out recursions...

Call Stack:

... php5ts.dll!match() repeatet until stack exhausted ....
 	php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned char * ecode=0x02705ca0, const unsigned char * mstart=0x04d6e66f, const unsigned char * markptr=0x00000000, int offset_top=0x00000004, match_data * md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int flags=0x00000000, unsigned int rdepth=0x00000001)  Line 1515 + 0x2f bytes	C
 	php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned char * ecode=0x02705c98, const unsigned char * mstart=0x04d6e66f, const unsigned char * markptr=0x00000000, int offset_top=0x00000002, match_data * md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int flags=0x00000000, unsigned int rdepth=0x00000000)  Line 834 + 0x40 bytes	C
 	php5ts.dll!php_pcre_exec(const real_pcre * argument_re=0x02705c70, const pcre_extra * extra_data=0x0230fa5c, const char * subject=0x04d6e5f0, int length=0x00000467, int start_offset=0x00000000, int options=0x00000000, int * offsets=0x04d6eb10, int offsetcount=0x0000000c)  Line 6099 + 0x3f bytes	C
 	php5ts.dll!php_pcre_match_impl(pcre_cache_entry * pce=0x04f79918, char * subject=0x04d6e5f0, int subject_len=0x00000467, _zval_struct * return_value=0x04d6eaa0, _zval_struct * subpats=0x04d6ea80, int global=0x00000000, int use_flags=0x00000000, long flags=0x00000000, long start_offset=0x00000000, void * * * tsrm_ls=0x0278ca60)  Line 629	C
 	php5ts.dll!php_do_pcre_match(int ht=0x00000003, _zval_struct * return_value=0x00000000, _zval_struct * * return_value_ptr=0x60b72db7, _zval_struct * this_ptr=0x60b72db7, int return_value_used=0x60b72db7, void * * * tsrm_ls=0x00000000, int global=0x00000000)  Line 520 + 0x2b bytes	C
 	php5ts.dll!zif_preg_match(int ht=0x00000003, _zval_struct * return_value=0x04d6eaa0, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=0x00000001, void * * * tsrm_ls=0x0278ca60)  Line 771 + 0x17 bytes	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x04da0080, void * * * tsrm_ls=0x0278ca00)  Line 320 + 0x41 bytes	C
 	php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x00000000, void * * * tsrm_ls=0x00000000)  Line 1640 + 0xe bytes	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x04d6dca0, void * * * tsrm_ls=0x0278ca00)  Line 107 + 0xa bytes	C
 	php5ts.dll!zend_execute_scripts(int type=0x00000008, void * * * tsrm_ls=0x0278ca60, _zval_struct * * retval=0x00000000, int file_count=0x00000003, ...)  Line 1237	C
 	php5ts.dll!php_execute_script(_zend_file_handle * primary_file=0x0230fe44, void * * * tsrm_ls=0x0278ca60)  Line 2308 + 0x12 bytes	C
 	php5apache2_2.dll!php_handler(request_rec * r=0x01f77130)  Line 669 + 0xe bytes	C

System infos (this is from php 5.3.8, same behavior in 5.3.10):

System 	Windows NT xx6.0 build 6002 (Windows Vista Business Edition Service Pack 2) i586 

Architecture 	x86
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=D:\php-sdk\oracle\instantclient11\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" 

Apache Version 	Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 

PCRE (Perl Compatible Regular Expressions) Support 	enabled
PCRE Library Version 	8.12 2011-01-15 

Test script:
print_r (preg_match("/(\"praeparari\")(.)*(\.)/ixs",$data)); //crash
print_r (preg_match("/(.)*/ixs",$data));  //crash

Expected result:
no crash. 

Actual result:
httpd worker crashes due to crash in php5ts


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-01 00:41 UTC]
-Status: Open +Status: Not a bug
 [2012-03-01 00:41 UTC]
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It's known PCRE problem, not a PHP issue. Check out other PCRE related reports.
 [2012-03-01 07:12 UTC]
Alternatively you can increase the stack on windows too by increasing the stack of 
Apache. See the other reports about this problem. Editbin or http config can help.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 27 17:01:34 2024 UTC