php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74588 Infinite recursion within get_min_match_length() leads to SEGV
Submitted: 2017-05-14 06:28 UTC Modified: 2017-06-06 02:32 UTC
Votes:2
Avg. Score:2.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: xixabangm4 at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.1.5 OS: *
Private report: No CVE-ID: None
 [2017-05-14 06:28 UTC] xixabangm4 at gmail dot com
Description:
------------
Version tested: PHP-5.6.30 on x86_6; PHP-7.1.5 / x86 likely affected too.

Build bin/php with -fsanitize=address, --enable-mbstring



Test script:
---------------
$ cat get_min_match_len/recurse.php 
<?php

if (!extension_loaded('mbstring')) print "mbstring not loaded.\n";
if (!function_exists('mb_ereg_replace')) print "mb_ereg_replace() is not available\n";

echo "*** Testing mb_ereg_replace() ***\n";

echo mb_ereg_replace("(\\2)(\\1)", "1", "a");

?>



Expected result:
----------------
No crash

Actual result:
--------------
$ php get_min_match_len/recurse.php

*** Testing mb_ereg_replace() ***
ASAN:SIGSEGV
=================================================================
==11343==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec8781ff8 (pc 0x0000008d5ed6 bp 0x7ffec8782000 sp 0x7ffec8782000 T0)
    #0 0x8d5ed5 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2025
    #1 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #2 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #3 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #4 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #5 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #6 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #7 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #8 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    <..240 lines cut..>
    #249 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122
    #250 0x8d626c in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2041
    #251 0x8d6d82 in get_min_match_length /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2122

SUMMARY: AddressSanitizer: stack-overflow /home/xie/php-5.6.30/ext/mbstring/oniguruma/regcomp.c:2025 get_min_match_length
==11343==ABORTING


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-14 19:12 UTC] andrew dot nester dot dev at gmail dot com
I guess issue relates to bundled library `oniguruma` library which is used for regexp things. 
https://github.com/kkos/oniguruma
 [2017-05-19 00:33 UTC] ryan dot jentzsch at gmail dot com
I can confirm this is a bug in 7.1.5 - Segfaults
Appears to be solved in PHP 7.2.0-dev (cli) (built: May 18 2017 18:27:41) ( ZTS )
 [2017-06-06 02:32 UTC] xixabangm4 at gmail dot com
-: l dot wei at ntu dot edu dot sg +: xixabangm4 at gmail dot com -Status: Open +Status: Closed
 [2017-06-06 02:32 UTC] xixabangm4 at gmail dot com
Issue closed as resolved.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 23:01:27 2024 UTC