php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61920 "Segmentation fault" when \xfe is a part of mb_eregi_replace pattern
Submitted: 2012-05-03 08:33 UTC Modified: 2016-07-30 11:32 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: wojak@php.net Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: 5.3.11 OS: Linux Ubuntu 10.04.2 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2012-05-03 08:33 UTC] wojak@php.net 
Description:
------------
I get "Segmentation fault" when \xfe is a part of pattern argument in mb_eregi_replace() method.


Test script:
---------------
php -r 'mb_regex_encoding ("UTF-8");mb_internal_encoding("UTF-8");echo mb_eregi_replace ("[^\xfe]" , "?" , "\xfe ");'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-03 14:48 UTC] laruence@php.net 
only for php5.3,  5.4 works fine.  bt is:

Core was generated by `php53 -r mb_regex_encoding ("UTF-
8");mb_internal_encoding("UTF-8");echo mb_ereg'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005f3273 in next_state_val (cc=0x2406d48, vs=0x7fff1e996960, v=0, 
vs_israw=0x7fff1e9969b8, v_israw=0, intype=CCV_SB, 
    type=0x7fff1e9969b4, state=0x7fff1e9969b0, env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:3973
3973	      BITSET_SET_BIT(cc->bs, (int )(*vs));
(gdb) bt
#0  0x00000000005f3273 in next_state_val (cc=0x2406d48, vs=0x7fff1e996960, v=0, 
vs_israw=0x7fff1e9969b8, v_israw=0, intype=CCV_SB, 
    type=0x7fff1e9969b4, state=0x7fff1e9969b0, env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:3973
#1  0x00000000005f3f26 in parse_char_class (np=0x7fff1e996b48, 
tok=0x7fff1e996bf0, src=0x7fff1e996c70, end=0x2516b24 "", env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:4342
#2  0x00000000005f58ff in parse_exp (np=0x7fff1e996b48, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5019
#3  0x00000000005f609f in parse_branch (top=0x7fff1e996ba8, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5171
#4  0x00000000005f620a in parse_subexp (top=0x7fff1e996d98, tok=0x7fff1e996bf0, 
term=0, src=0x7fff1e996c70, end=0x2516b24 "", 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5208
#5  0x00000000005f6391 in parse_regexp (top=0x7fff1e996d98, src=0x7fff1e996c70, 
end=0x2516b24 "", env=0x7fff1e996cb0)
    at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5252
#6  0x00000000005f6464 in onig_parse_make_tree (root=0x7fff1e996d98, 
pattern=0x2516b20 "[^\376]", end=0x2516b24 "", reg=0x24f9450, 
    env=0x7fff1e996cb0) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regparse.c:5279
#7  0x00000000005de803 in onig_compile (reg=0x24f9450, pattern=0x2516b20 "
[^\376]", pattern_end=0x2516b24 "", einfo=0x7fff1e996e60)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/oniguruma/regcomp.c:5168
#8  0x00000000005deed5 in onig_new (reg=0x7fff1e996e78, pattern=0x2516b20 "
[^\376]", pattern_end=0x2516b24 "", option=13, enc=0x112a280, 
    syntax=0x1129dc0, einfo=0x7fff1e996e60) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/oniguruma/regcomp.c:5399
#9  0x00000000006280e0 in php_mbregex_compile_pattern (pattern=0x2516b20 "
[^\376]", patlen=4, options=13, enc=0x112a280, syntax=0x1129dc0)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/php_mbregex.c:458
#10 0x00000000006291f1 in _php_mb_regex_ereg_replace_exec (ht=3, 
return_value=0x2518c28, return_value_ptr=0x0, this_ptr=0x0, 
    return_value_used=1, options=13) at /home/huixinchen/opensource/php-
5.3/ext/mbstring/php_mbregex.c:857
#11 0x000000000062a384 in zif_mb_eregi_replace (ht=3, return_value=0x2518c28, 
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/huixinchen/opensource/php-5.3/ext/mbstring/php_mbregex.c:980
#12 0x00000000008b1a97 in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fe8cadd2090)
    at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:320
#13 0x00000000008b5fa0 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x7fe8cadd2090)
    at /home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:1640
#14 0x00000000008b0f70 in execute (op_array=0x2518970) at 
/home/huixinchen/opensource/php-5.3/Zend/zend_vm_execute.h:107
#15 0x000000000086e5f1 in zend_eval_stringl (
 [2012-05-04 22:56 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
 [2012-05-05 12:58 UTC] Reeze dot xia at gmail dot com 
This is the bug of bundled oniguruma in 5.3
5.4 upgrade it but 5.3 didn't. 

Upgrade the bundled oniguruma can fix the bug.
 [2012-06-05 11:53 UTC] frithjof at digital-poets dot net 
Also reproduced on ubuntu 12.04 
PHP 5.3.10-1ubuntu3.1 with Suhosin-Patch (cli) (built: May  4 2012 02:20:36) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
    with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
 [2016-07-30 11:31 UTC] cmb@php.net
-Status: Assigned +Status: Closed -Assigned To: moriyoshi +Assigned To: cmb
 [2016-07-30 11:31 UTC] cmb@php.net 
Indeed, this issue has been fixed at least as of oniguruma 5.9.2,
which is bundled as of PHP 5.0.0, see <https://3v4l.org/bUMi2>.
(The missing warning is due to the new pre-validation[1].)

[1] <https://github.com/php/php-src/commit/eb3e7f7>
 [2016-07-30 11:32 UTC] cmb@php.net 
> which is bundled as of PHP 5.0.0

"which is bundled as of PHP 5.5.0", of course
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 00:01:29 2024 UTC