php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68253 Segfault on preg_match with offset
Submitted: 2014-10-17 14:53 UTC Modified: 2014-12-30 08:45 UTC
From: obouda at email dot cz Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: Irrelevant OS: Windows 7, 64bit
Private report: No CVE-ID: None
 [2014-10-17 14:53 UTC] obouda at email dot cz
Description:
------------
For the provided script, I get a segfault. We observed this on various platforms and versions (PHP 5.4 on Windows and Debian, PHP 5.5 on Mac), just the crashing input differs on every platform. The provided script crashes on PHP 5.4 on Windows.

The segfault is "almost deterministic", i.e., it crashes on a given input quite everytime. It varies depending on $str, $re and the offset provided to the preg_match().

Test script:
---------------
<?php
$str = <<<TXT
"name"=>"---------", "description"=>"------------------------
----------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------"
TXT;

$re = '~(?:"((?:[^"\\\\]|\\\\\\\\)*)"|([^\s,=>"]+))\s*=>\s*(?:"((?1))"|((?2)))~';

preg_match($re, $str, $m, 0, 1); // segfaults

echo 'this does not get printed';


Actual result:
--------------
In httpd__PID__12244__Date__10_17_2014__Time_04_36_42PM__962__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!is_equal_function+169 in C:\xampp\php\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00000001 on thread 4



Thread 4 - System ID 12096Entry point	  libhttpd!ap_regkey_value_remove+1060
Create time	  17.10.2014 16:35:40
Time spent in user mode	  0 Days 00:00:00.000
Time spent in kernel mode	  0 Days 00:00:00.000

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.
Function
php5ts!is_equal_function+169
0x000f4240
ntdll!RtlpLowFragHeapAllocFromContext+aec
php5ts!zend_hash_add_or_update+2a2
php5ts!zend_parse_parameters+2b
php5ts!zval_update_constant_inline_change+a9
php5ts!add_function+964
php5ts!execute_internal+37
php_xdebug!get_module+2364
php5ts!libiconv_open+ab877

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:37 UTC] stas@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug
 [2014-12-30 08:37 UTC] stas@php.net
Looks like a duplicate of https://bugs.php.net/bug.php?id=61213 - stack overflow in regexp. Please try to set lower pcre.recursion_limit or increase stack size for the process.
 [2014-12-30 08:45 UTC] obouda at email dot cz
Will try. Thank you for your attention.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Nov 28 20:03:17 2021 UTC