php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72143 preg_replace uses int instead of size_t on zend_string_allocs
Submitted: 2016-05-03 12:53 UTC Modified: 2016-05-14 07:22 UTC
From: burmartke at gmail dot com Assigned: krakjoe (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.6 OS: Ubuntu 16.04 LTS
Private report: No CVE-ID: None
 [2016-05-03 12:53 UTC] burmartke at gmail dot com
Description:
------------
preg_replace() declares its alloc_len as an int, and zend_string_(re)alloc() expects a size_t, so when it tries to allocate a string >= 0x40000000 it gets sign-extended and the alloc fails.

Test script:
---------------
<?php

error_log( "++++++++++++++++++++++++++begin " );

$str = str_repeat( 'a', 0x40000000 ) . 'b';

$len = strlen( $str );
error_log( "len=$len (0x" . dechex( $len ) . ")" . ", 18446744071562068000 (0x" . dechex( 18446744071562068000 ) . ")" );

$out = preg_replace( '/b/', '', $str );

error_log( "++++++++++++++++++++++++++end " );


Expected result:
----------------
A successful replace.

++++++++++++++++++++++++++begin
len=1073741825 (0x40000001), 18446744071562068000 (0xffffffff80000000)
++++++++++++++++++++++++++end 


Actual result:
--------------
Either a PHP Fatal error:  Out of memory (allocated 1075843072) (tried to allocate 18446744071562068000 bytes) or a segmentation fault.

Patches

pcre_preg_replace_alloc_int_to_size_t.patch (last revision 2016-05-03 12:53 UTC) by burmartke at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-14 07:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90f46f2c5bdd3ab0e5dbc3aec1b3294ea1981abe
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-14 07:21 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 [2016-05-14 07:21 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-14 07:22 UTC] krakjoe@php.net
-Assigned To: +Assigned To: krakjoe
 [2016-05-14 07:22 UTC] krakjoe@php.net
Thanks. 

I didn't add a test, this is an obvious programming error, and it's unreasonable to create tests that allocate that much memory, I think.
 [2016-05-16 03:22 UTC] laruence@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-05-16 03:25 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9e7afa75140afd047cb95280a610cff9368a7517
Log: Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;
 [2016-05-16 13:23 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b3a4c6101abeef297bfb415493e96bbeda3d110
Log: Revert &quot;Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0b3a4c6101abeef297bfb415493e96bbeda3d110
Log: Revert &quot;Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9e7afa75140afd047cb95280a610cff9368a7517
Log: Revert &quot;fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90f46f2c5bdd3ab0e5dbc3aec1b3294ea1981abe
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fb951553be0175712f4b757e05004110d7421e04
Log: fix #72143 (preg_replace uses int instead of size_t on zend_string_allocs)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC