php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #64046 Segmentation fault in pcre library
Submitted: 2013-01-22 13:47 UTC Modified: 2013-06-30 20:31 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: public at miholeus dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: Irrelevant OS: Ubuntu 12.04.1 LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: public at miholeus dot com
New email:
PHP Version: OS:

 

 [2013-01-22 13:47 UTC] public at miholeus dot com 
Description:
------------
The following code causes segmentation fault. You can see the code by link I've 
provided.

Test script:
---------------
Code http://pastebin.com/UzBjDaZU

Expected result:
----------------
no segfault

Actual result:
--------------
With gdb:

(gdb) run /var/www/work/crm/trunk/pcre.php
Starting program: /usr/bin/php /var/www/work/crm/trunk/pcre.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe42e4700 (LWP 4329)]
[Thread 0x7fffe42e4700 (LWP 4329) exited]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d99a62 in ?? () from /lib/x86_64-linux-gnu/libpcre.so.3

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-23 18:12 UTC] krakjoe@php.net 
This does cause a stack overflow, for some reason the default limits for 
recursion are very high, maybe someone has an explanation of that.

You have:
"/'([^'])*'/"

Shouldn't that be:
"/'([^']*)'/"

?
 [2013-01-24 08:35 UTC] pajoye@php.net
-Status: Open +Status: Not a bug
 [2013-01-24 08:35 UTC] pajoye@php.net 
Not a PHP bug but pcre recursion classic stack crash, see the numerous other 
reports for more info.
 [2013-01-24 15:28 UTC] public at miholeus dot com 
I understand. Thanks for reply.
 [2013-06-30 20:05 UTC] php at richardneill dot org 
I've just been bitten by this bug too.

It manifests as "Connection Reset" error on the website, and this in the apache logs: "[Sun Jun 30 20:58:07 2013] [notice] child pid 32544 exit signal Segmentation fault (11)"

I do understand that the segfault isn't a PHP bug, but it would be really helpful if the error message could be more specific: something like "segfault in PCRE at line X in file Y".


Aside: another test-case.
Here, it can be triggered by a value over about 5400:
$input='<span>'.str_repeat('X', 5500).'</span>';
$output = preg_replace("/<span>(((?!(<\/span>)).)*)<\/span>/",  "BEGIN \\1 END"  ,$input);

If I reduce pcre.recursion_limit converts the segfault into a PCRE failure... but there is nothing that will make the RE actually work as intended. (in the contrived example, we can of course just use str_replace).
 [2013-06-30 20:31 UTC] pajoye@php.net 
@ krakjoe@php.net
We have no control over the segfault, if we would, it would happen in the first 
place.

You can play with the stack size (apache config), increase it and at some point it 
will be large enough to avoid this crash.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 12:01:27 2024 UTC