php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71278 libpcre3 causes PHP to crash if a crafted regex is supplied to preg_match
Submitted: 2016-01-05 02:46 UTC Modified: 2016-01-13 23:58 UTC
From: v dot bakaitis at gmail dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.6.16 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: v dot bakaitis at gmail dot com
New email:
PHP Version: OS:

 

 [2016-01-05 02:46 UTC] v dot bakaitis at gmail dot com
Description:
------------
libpcre3 does not properly check for circular references when numbered patterns are used, e.g.

/(((?3)))((?1))/
This results in the infinite loop in libpcre3 library that keeps on reading memory until it it eventually causes a segfault at pcre_compile,c:2338 

Test script:
---------------
<?php preg_match("/(((?3)))((?1))/", ""); ?>

Expected result:
----------------
The condition is handled by PCRE and an error is returned by the library

Actual result:
--------------
Segmentation fault. The backtrace is not included due to it's size.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-05 02:52 UTC] v dot bakaitis at gmail dot com
-Summary: A bug in libpcre3 causes PHP to crash if a crafted regex is supplied to preg_ma +Summary: libpcre3 causes PHP to crash if a crafted regex is supplied to preg_match
 [2016-01-05 02:52 UTC] v dot bakaitis at gmail dot com
updated the title
 [2016-01-05 07:16 UTC] pajoye@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-01-05 07:16 UTC] pajoye@php.net
Increase the process stack (config in apache or for the running process) and try again, or you can tweak the expression. You can find other reports here with a more detailed explanation about the issue and how to work around it (may not work tho' as it depends on the expression).

However it is not something we can fix. Sorry.

Classified as "not a bug" as not related to php anyway, but libpcre.
 [2016-01-05 22:20 UTC] stas@php.net
If it's a PCRE issue, maybe it should be reported upstream?
 [2016-01-06 04:42 UTC] pajoye@php.net
Afair there are already reports about circular refs or reached stack limit leading to crash
 [2016-01-13 23:58 UTC] stas@php.net
For the record, upstream bug is https://bugs.exim.org/show_bug.cgi?id=1770
We bundle PCRE however so we may need upgrade
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon May 23 08:05:45 2022 UTC