php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68628 preg_match() causes stack overflow exception
Submitted: 2014-12-19 09:22 UTC Modified: 2014-12-19 12:23 UTC
From: roman dot paska at gmail dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.4.36 OS: Windows 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: roman dot paska at gmail dot com
New email:
PHP Version: OS:

 

 [2014-12-19 09:22 UTC] roman dot paska at gmail dot com
Description:
------------
preg_match() crashes PHP & Apache with stack overflow exception on Windows 7.

I'm not able to reproduce it with plain PHP code. It crashes using Drupal 7 under some circumstances.

Regular expression is preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url) 

More details to follow.

Actual result:
--------------
In httpd__PID__6364__Date__12_19_2014__Time_10_40_54AM__870__Second_Chance_Exception_C00000FD.dmp the assembly instruction at php5ts!php_pcre_compile+99c8 in C:\Program Files\PHP54\php5ts.dll from The PHP Group has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00000001 on thread 9

Type of Analysis Performed - Combined Crash/Hang Analysis
Operating System - Windows 7Service Pack 1
Number Of Processors - 4
Process ID - 6364
Process Image - c:\Program Files\Apache Software Foundation\Apache24\bin\httpd.exe
System Up-Time - 1 day(s) 00:06:33
Process Up-Time - 00:00:04
Processor Type - X86
Process Bitness - 32-Bit

Thread 9 - System ID 2100
Entry point	  libhttpd!ap_regkey_value_remove+11a0
Create time	  19.12.2014 10:40:50
Time spent in user mode	  0 Days 00:00:00.390
Time spent in kernel mode	  0 Days 00:00:00.156



This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

Function
php5ts!php_pcre_compile+99c8
0x00989680
php5ts!php_pcre_match_impl+269
php5ts!pcre_get_compiled_regex_cache+4a9
php5ts!php_pcre_grep_impl+394
php5ts!php_pcre_grep_impl+3b6
php5ts!zval_copy_ctor_func+4a8
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_call_function+379
php5ts!zval_add_ref+2c22
php5ts!php_error_log_ex+323
php5ts!zval_copy_ctor_func+4a8
php5ts!add_assoc_stringl_ex+1b9
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_call_function+379
php5ts!zval_add_ref+2c22
php5ts!php_error_log_ex+323
php5ts!zval_copy_ctor_func+4a8
php5ts!add_assoc_stringl_ex+286
php5ts!zval_add_ref+1385
php5ts!execute+1fe
php5ts!zend_execute_scripts+15a
php5ts!ts_resource_ex+14
php5ts!php_execute_script+1c5
php5ts!php_execute_script+a8
KERNELBASE!WaitForSingleObjectEx+cb
php_mbstring!mbfl_name2language+2b5
php_xsl!get_module+2ec
libapr_1!apr_pmemdup+2a
libapr_1!apr_pstrdup+29
php5apache2_4+18c7
mod_rewrite+7061
libhttpd!ap_run_handler+25
libhttpd!ap_invoke_handler+a1
libhttpd!ap_internal_redirect+36
mod_rewrite+80fa
libhttpd!ap_run_handler+25
libhttpd!ap_invoke_handler+a1
libhttpd!ap_die+39c
libhttpd!ap_die+42f
libhttpd!ap_psignature+14c8

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-19 09:55 UTC] roman dot paska at gmail dot com
I was able to reproduce this without Drupal 7.

Code sample
-----------
<?php

$url = 'mailto:inquiries@lifenethealth.org?subject=Join%20me%20in%20Saving%20Lives%20and%20Restoring%20Health!&body=I%20just%20made%20a%20charitable%20contribution%20to%20support%20the%20LifeNet%20Health%20Foundation%20in%20their%20mission%20of%20Saving%20Lives%20and%20Restoring%20Health.%20%20Please%20join%20me%20by%20following%20the%20link%20below%20and%20consider%20making%20a%20contribution.%20%20Even%20a%20small%20gift%20of%20%245%2C%20%2410%2C%20or%20%2415%20can%20make%20a%20real%20impact!%0A%0AYour%20donation%20will%20support%3A%0A%0A%E2%80%A2%09Quality%20educational%20programs%20for%20the%20general%20public%20and%20the%20healthcare%20community%20regarding%20organ%20and%20tissue%20donation%2C%0A%E2%80%A2%09Donor%20Family%20Services%20activities%2C%20such%20as%20grief%20materials%2C%20workshops%2C%20newsletters%20and%20special%20events%2C%20and%3B%0A%E2%80%A2%09LifeNet%20Health%E2%80%99s%20research%20and%20development%20initiatives%2C%20including%20the%20new%20Institute%20of%20Regenerative%20Medicine%20that%20will%20help%20to%20further%20the%20mission%20of%20Saving%20Lives%20and%20Restoring%20Health%20with%20breakthroughs%20in%20cellular%20therapy%20research.%0A%0AYour%20financial%20contribution%20to%20the%20LifeNet%20Health%20Foundation%20is%20an%20investment%20that%20will%20directly%20affect%20people%E2%80%99s%20lives.%20%20Please%20consider%20becoming%20a%20partner%20in%20Saving%20Lives%20and%20Restoring%20Health.%0A';

preg_match("/^(?:[\w#!:\.\?\+=&@$'~*,;\/\(\)\[\]\-]|%[0-9a-f]{2})+$/i", $url);

It works from PHP CLI, but crashes Apache via Browser. PHP connected as a Apache module. 

Apache 2.2.17 and 2.4.10 affected.

Hard to say whether it's Apache or PHP issue.
 [2014-12-19 12:23 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2014-12-19 12:23 UTC] ab@php.net
This is a known issue, please see bug #63829 for solution.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Sep 13 05:01:28 2024 UTC