php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71278 libpcre3 causes PHP to crash if a crafted regex is supplied to preg_match
Submitted: 2016-01-05 02:46 UTC Modified: 2016-01-13 23:58 UTC
From: v dot bakaitis at gmail dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.6.16 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: v dot bakaitis at gmail dot com
New email:
PHP Version: OS:

 

 [2016-01-05 02:46 UTC] v dot bakaitis at gmail dot com 
Description:
------------
libpcre3 does not properly check for circular references when numbered patterns are used, e.g.

/(((?3)))((?1))/
This results in the infinite loop in libpcre3 library that keeps on reading memory until it it eventually causes a segfault at pcre_compile,c:2338 

Test script:
---------------
<?php preg_match("/(((?3)))((?1))/", ""); ?>

Expected result:
----------------
The condition is handled by PCRE and an error is returned by the library

Actual result:
--------------
Segmentation fault. The backtrace is not included due to it's size.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-05 02:52 UTC] v dot bakaitis at gmail dot com
-Summary: A bug in libpcre3 causes PHP to crash if a crafted regex is supplied to preg_ma +Summary: libpcre3 causes PHP to crash if a crafted regex is supplied to preg_match
 [2016-01-05 02:52 UTC] v dot bakaitis at gmail dot com 
updated the title
 [2016-01-05 07:16 UTC] pajoye@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-01-05 07:16 UTC] pajoye@php.net 
Increase the process stack (config in apache or for the running process) and try again, or you can tweak the expression. You can find other reports here with a more detailed explanation about the issue and how to work around it (may not work tho' as it depends on the expression).

However it is not something we can fix. Sorry.

Classified as "not a bug" as not related to php anyway, but libpcre.
 [2016-01-05 22:20 UTC] stas@php.net 
If it's a PCRE issue, maybe it should be reported upstream?
 [2016-01-06 04:42 UTC] pajoye@php.net 
Afair there are already reports about circular refs or reached stack limit leading to crash
 [2016-01-13 23:58 UTC] stas@php.net 
For the record, upstream bug is https://bugs.exim.org/show_bug.cgi?id=1770
We bundle PCRE however so we may need upgrade
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 21:01:28 2024 UTC