|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68253 Segfault on preg_match with offset
Submitted: 2014-10-17 14:53 UTC Modified: 2014-12-30 08:45 UTC
From: obouda at email dot cz Assigned:
Status: Duplicate Package: Reproducible crash
PHP Version: Irrelevant OS: Windows 7, 64bit
Private report: No CVE-ID: None
 [2014-10-17 14:53 UTC] obouda at email dot cz
For the provided script, I get a segfault. We observed this on various platforms and versions (PHP 5.4 on Windows and Debian, PHP 5.5 on Mac), just the crashing input differs on every platform. The provided script crashes on PHP 5.4 on Windows.

The segfault is "almost deterministic", i.e., it crashes on a given input quite everytime. It varies depending on $str, $re and the offset provided to the preg_match().

Test script:
$str = <<<TXT
"name"=>"---------", "description"=>"------------------------

$re = '~(?:"((?:[^"\\\\]|\\\\\\\\)*)"|([^\s,=>"]+))\s*=>\s*(?:"((?1))"|((?2)))~';

preg_match($re, $str, $m, 0, 1); // segfaults

echo 'this does not get printed';

Actual result:
In httpd__PID__12244__Date__10_17_2014__Time_04_36_42PM__962__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!is_equal_function+169 in C:\xampp\php\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00000001 on thread 4

Thread 4 - System ID 12096Entry point	  libhttpd!ap_regkey_value_remove+1060
Create time	  17.10.2014 16:35:40
Time spent in user mode	  0 Days 00:00:00.000
Time spent in kernel mode	  0 Days 00:00:00.000

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:37 UTC]
-Status: Open +Status: Duplicate -Type: Security +Type: Bug
 [2014-12-30 08:37 UTC]
Looks like a duplicate of - stack overflow in regexp. Please try to set lower pcre.recursion_limit or increase stack size for the process.
 [2014-12-30 08:45 UTC] obouda at email dot cz
Will try. Thank you for your attention.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 16 01:01:28 2024 UTC