php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68628 preg_match() causes stack overflow exception
Submitted: 2014-12-19 09:22 UTC Modified: 2014-12-19 12:23 UTC
From: roman dot paska at gmail dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.4.36 OS: Windows 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: roman dot paska at gmail dot com
New email:
PHP Version: OS:

 

 [2014-12-19 09:22 UTC] roman dot paska at gmail dot com
Description:
------------
preg_match() crashes PHP & Apache with stack overflow exception on Windows 7.

I'm not able to reproduce it with plain PHP code. It crashes using Drupal 7 under some circumstances.

Regular expression is preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url) 

More details to follow.

Actual result:
--------------
In httpd__PID__6364__Date__12_19_2014__Time_10_40_54AM__870__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!php_pcre_compile+99c8 in C:\Program Files\PHP54\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00000001 on thread 9

Type of Analysis Performed - Combined Crash/Hang Analysis
Operating System - Windows 7Service Pack 1
Number Of Processors - 4
Process ID - 6364
Process Image - c:\Program Files\Apache Software Foundation\Apache24\bin\httpd.exe
System Up-Time - 1 day(s) 00:06:33
Process Up-Time - 00:00:04
Processor Type - X86
Process Bitness - 32-Bit

Thread 9 - System ID 2100
Entry point	  libhttpd!ap_regkey_value_remove+11a0
Create time	  19.12.2014 10:40:50
Time spent in user mode	  0 Days 00:00:00.390
Time spent in kernel mode	  0 Days 00:00:00.156



This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

Function
php5ts!php_pcre_compile+99c8
0x00989680
php5ts!php_pcre_match_impl+269
php5ts!pcre_get_compiled_regex_cache+4a9
php5ts!php_pcre_grep_impl+394
php5ts!php_pcre_grep_impl+3b6
php5ts!zval_copy_ctor_func+4a8
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_call_function+379
php5ts!zval_add_ref+2c22
php5ts!php_error_log_ex+323
php5ts!zval_copy_ctor_func+4a8
php5ts!add_assoc_stringl_ex+1b9
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_call_function+379
php5ts!zval_add_ref+2c22
php5ts!php_error_log_ex+323
php5ts!zval_copy_ctor_func+4a8
php5ts!add_assoc_stringl_ex+286
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_execute_scripts+15a
php5ts!ts_resource_ex+14
php5ts!php_execute_script+1c5
php5ts!php_execute_script+a8
KERNELBASE!WaitForSingleObjectEx+cb
php_mbstring!mbfl_name2language+2b5
php_xsl!get_module+2ec
libapr_1!apr_pmemdup+2a
libapr_1!apr_pstrdup+29
php5apache2_4+18c7
mod_rewrite+7061
libhttpd!ap_run_handler+25
libhttpd!ap_invoke_handler+a1
libhttpd!ap_internal_redirect+36
mod_rewrite+80fa
libhttpd!ap_run_handler+25
libhttpd!ap_invoke_handler+a1
libhttpd!ap_die+39c
libhttpd!ap_die+42f
libhttpd!ap_psignature+14c8

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-19 09:55 UTC] roman dot paska at gmail dot com
I was able to reproduce this without Drupal 7.

Code sample
-----------
<?php

$url = 'mailto:inquiries@lifenethealth.org?subject=Join%20me%20in%20Saving%20Lives%20and%20Restoring%20Health!&body=I%20just%20made%20a%20charitable%20contribution%20to%20support%20the%20LifeNet%20Health%20Foundation%20in%20their%20mission%20of%20Saving%20Lives%20and%20Restoring%20Health.%20%20Please%20join%20me%20by%20following%20the%20link%20below%20and%20consider%20making%20a%20contribution.%20%20Even%20a%20small%20gift%20of%20%245%2C%20%2410%2C%20or%20%2415%20can%20make%20a%20real%20impact!%0A%0AYour%20donation%20will%20support%3A%0A%0A%E2%80%A2%09Quality%20educational%20programs%20for%20the%20general%20public%20and%20the%20healthcare%20community%20regarding%20organ%20and%20tissue%20donation%2C%0A%E2%80%A2%09Donor%20Family%20Services%20activities%2C%20such%20as%20grief%20materials%2C%20workshops%2C%20newsletters%20and%20special%20events%2C%20and%3B%0A%E2%80%A2%09LifeNet%20Health%E2%80%99s%20research%20and%20development%20initiatives%2C%20including%20the%20new%20Institute%20of%20Regenerative%20Medicine%20that%20will%20help%20to%20further%20the%20mission%20of%20Saving%20Lives%20and%20Restoring%20Health%20with%20breakthroughs%20in%20cellular%20therapy%20research.%0A%0AYour%20financial%20contribution%20to%20the%20LifeNet%20Health%20Foundation%20is%20an%20investment%20that%20will%20directly%20affect%20people%E2%80%99s%20lives.%20%20Please%20consider%20becoming%20a%20partner%20in%20Saving%20Lives%20and%20Restoring%20Health.%0A';

preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url);

It works from PHP CLI, but crashes Apache via Browser. PHP connected as a Apache module. 

Apache 2.2.17 and 2.4.10 affected.

Hard to say whether it's Apache or PHP issue.
 [2014-12-19 12:23 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2014-12-19 12:23 UTC] ab@php.net
This is a known issue, please see bug #63829 for solution.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 09:03:34 2021 UTC