php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #74087 Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
Submitted: 2017-02-12 09:32 UTC Modified: 2017-07-05 04:12 UTC
From: idaifish at gmail dot com Assigned:
Status: Closed Package: PCRE related
PHP Version: 7.1.1 OS: Ubuntu16.04LTS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: idaifish at gmail dot com
New email:
PHP Version: OS:

 

 [2017-02-12 09:32 UTC] idaifish at gmail dot com 
Description:
------------
Segmentation fault.

Tested on Ubuntu16.04LTS.

$ uname -a
Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies


Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";

preg_match($pattern, "helloworld");

?>


Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc 0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
    #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
    #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
    #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
    #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
    #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
    #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
    #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
    #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
    #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
    #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
    #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (/tmp/php+0x1a52c81)
    #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
    #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
    #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
    #14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
    #15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
    #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
    #17 0x7f98bd6d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x43a768 in _start (/tmp/php+0x43a768)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in compile_bracket_matchingpath


GDB backtrace:
#0  0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8, cc=0x1f04d4f "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1  0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8, cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2  0x0000000000609e7c in compile_recurse (common=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3  _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4  0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1, errorptr=<optimized out>) at /home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5  0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120) at ext/pcre/php_pcre.c:518
#6  0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized out>, subject_len=<optimized out>, replace_val=<optimized out>, is_callable_replace=<optimized out>, limit=<optimized out>, replace_count=<optimized out>, subject_str=<optimized out>) at ext/pcre/php_pcre.c:1132
#7  php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=<optimized out>, limit=-1, is_callable_replace=0, replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8  0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78, regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250, limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at ext/pcre/php_pcre.c:1554
#9  0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0, return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000, return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>, retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at sapi/cli/php_cli.c:1381

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-13 02:09 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2017-02-13 02:09 UTC] stas@php.net 
Looks like PCRE issue, please report upstream to PCRE maintainers.
 [2017-02-13 08:04 UTC] idaifish at gmail dot com
-Status: Feedback +Status: Open
 [2017-02-13 08:04 UTC] idaifish at gmail dot com 
Ok, I'll report it to maintainers.
 [2017-02-13 23:55 UTC] cmb@php.net 
> Ok, I'll report it to maintainers.

Thanks! Please don't forget to link to the upstream report (once
it is publicly available).
 [2017-02-14 11:06 UTC] idaifish at gmail dot com 
Update: Bug has been fixed.

report: https://bugs.exim.org/show_bug.cgi?id=2035
patch: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch
 [2017-07-05 04:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7f4fd470635c30018d7ac71ab3b848195bf8795
Log: Fix bug #74087
 [2017-07-05 04:13 UTC] stas@php.net
-Status: Open +Status: Closed
 [2017-07-05 04:23 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7f4fd470635c30018d7ac71ab3b848195bf8795
Log: Fix bug #74087
 [2017-07-06 08:50 UTC] krakjoe@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73915a2bd61f21fd809b4d50af9aba950f43e807
Log: Fix bug #74087
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 01:01:28 2024 UTC