php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61213 PCRE - Stack Overflow due to unlimited recursions in preg_match() crashing php5
Submitted: 2012-02-29 20:59 UTC Modified: 2012-03-01 07:12 UTC
From: mccool at gmx dot ch Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.10 OS: win32 (vista x86)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
27 - 24 = ?
Subscribe to this entry?

 
 [2012-02-29 20:59 UTC] mccool at gmx dot ch
Description:
------------
stack overflow in php5ts.dll

Unhandled exception at 0x60b7b0b3 (php5ts.dll) in httpd.exe: 0xC00000FD: Stack overflow.
module: php5ts.dll


affected php versions: 5.3.8/5.3.9/5.3.10 (win32)
src: ./ext/pcre/php_pcre.c:497
     ./ext/pcre/pcre_exec.c:649  (position on stack overflow, random since this is a stack overflow)


btw. yes i know i can set pcre.recursion_limit. this might fix the symptoms but not the problem. php crashes even with pcre.recursion_limit=650. for example other projects do not crash on maxed out recursions...

Regards,
Martin
-------------
Call Stack:
-----------

... php5ts.dll!match() repeatet until stack exhausted ....
 	php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned char * ecode=0x02705ca0, const unsigned char * mstart=0x04d6e66f, const unsigned char * markptr=0x00000000, int offset_top=0x00000004, match_data * md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int flags=0x00000000, unsigned int rdepth=0x00000001)  Line 1515 + 0x2f bytes	C
 	php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned char * ecode=0x02705c98, const unsigned char * mstart=0x04d6e66f, const unsigned char * markptr=0x00000000, int offset_top=0x00000002, match_data * md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int flags=0x00000000, unsigned int rdepth=0x00000000)  Line 834 + 0x40 bytes	C
 	php5ts.dll!php_pcre_exec(const real_pcre * argument_re=0x02705c70, const pcre_extra * extra_data=0x0230fa5c, const char * subject=0x04d6e5f0, int length=0x00000467, int start_offset=0x00000000, int options=0x00000000, int * offsets=0x04d6eb10, int offsetcount=0x0000000c)  Line 6099 + 0x3f bytes	C
 	php5ts.dll!php_pcre_match_impl(pcre_cache_entry * pce=0x04f79918, char * subject=0x04d6e5f0, int subject_len=0x00000467, _zval_struct * return_value=0x04d6eaa0, _zval_struct * subpats=0x04d6ea80, int global=0x00000000, int use_flags=0x00000000, long flags=0x00000000, long start_offset=0x00000000, void * * * tsrm_ls=0x0278ca60)  Line 629	C
 	php5ts.dll!php_do_pcre_match(int ht=0x00000003, _zval_struct * return_value=0x00000000, _zval_struct * * return_value_ptr=0x60b72db7, _zval_struct * this_ptr=0x60b72db7, int return_value_used=0x60b72db7, void * * * tsrm_ls=0x00000000, int global=0x00000000)  Line 520 + 0x2b bytes	C
 	php5ts.dll!zif_preg_match(int ht=0x00000003, _zval_struct * return_value=0x04d6eaa0, _zval_struct * * return_value_ptr=0x00000000, _zval_struct * this_ptr=0x00000000, int return_value_used=0x00000001, void * * * tsrm_ls=0x0278ca60)  Line 771 + 0x17 bytes	C
 	php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * execute_data=0x04da0080, void * * * tsrm_ls=0x0278ca00)  Line 320 + 0x41 bytes	C
 	php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * execute_data=0x00000000, void * * * tsrm_ls=0x00000000)  Line 1640 + 0xe bytes	C
 	php5ts.dll!execute(_zend_op_array * op_array=0x04d6dca0, void * * * tsrm_ls=0x0278ca00)  Line 107 + 0xa bytes	C
 	php5ts.dll!zend_execute_scripts(int type=0x00000008, void * * * tsrm_ls=0x0278ca60, _zval_struct * * retval=0x00000000, int file_count=0x00000003, ...)  Line 1237	C
 	php5ts.dll!php_execute_script(_zend_file_handle * primary_file=0x0230fe44, void * * * tsrm_ls=0x0278ca60)  Line 2308 + 0x12 bytes	C
 	php5apache2_2.dll!php_handler(request_rec * r=0x01f77130)  Line 669 + 0xe bytes	C
 	libhttpd.dll!6ff02515() 	
....


System infos (this is from php 5.3.8, same behavior in 5.3.10):
-------------

System 	Windows NT xx6.0 build 6002 (Windows Vista Business Edition Service Pack 2) i586 

Architecture 	x86
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=D:\php-sdk\oracle\instantclient11\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" 



Apache Version 	Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 

pcre
PCRE (Perl Compatible Regular Expressions) Support 	enabled
PCRE Library Version 	8.12 2011-01-15 

Test script:
---------------
<?php
$data= 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"praeparari"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApraeparariAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'; //+1A to crash => 10.494~
print_r (preg_match("/(\"praeparari\")(.)*(\.)/ixs",$data)); //crash
print_r (preg_match("/(.)*/ixs",$data));  //crash
?>

Expected result:
----------------
no crash. 

Actual result:
--------------
httpd worker crashes due to crash in php5ts


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-01 00:41 UTC] felipe@php.net
-Status: Open +Status: Not a bug
 [2012-03-01 00:41 UTC] felipe@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It's known PCRE problem, not a PHP issue. Check out other PCRE related reports.
 [2012-03-01 07:12 UTC] pajoye@php.net
Alternatively you can increase the stack on windows too by increasing the stack of 
Apache. See the other reports about this problem. Editbin or http config can help.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC