php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7509 Problem (buffer overflow?) with ereg()
Submitted: 2000-10-28 06:12 UTC Modified: 2000-10-30 12:57 UTC
From: ignacio at openservices dot net Assigned:
Status: Closed Package: Regexps related
PHP Version: 4.0 Latest CVS (28/10/2000) OS: Red Hat Linux 6.2
Private report: No CVE-ID: None
 [2000-10-28 06:12 UTC] ignacio at openservices dot net
When I give ereg() a sufficiently complex RE, PHP seems to roll over and die or something the next time it calls ereg(). It has exhibited this behavior since 4.0.1pl2, when we first put the code in place.

Here's the code:

"""
  while (ereg("^((.|\n)*)<[[:space:]]*[Ff][Oo][Rr][Mm][Ss][Ee][Tt][[:space:]]*([Tt][Yy][Pp][Ee]=(\"[^\"]*\"|[^\">]*))?[[:space:]]*>((.|\n)*)$", $string, $out))
  {
error_log("after 1",0);
flush();
    if ($out[4][0]=="\"")
{
error_log("after 2",0);
flush();
      $type=substr($out[4], 1, -1);
error_log("after 3",0);
flush();
}
    else
{
error_log("after 4",0);
flush();
      $type=$out[4];
error_log("after 5",0);
flush();
};
error_log("after 6",0);
    $string=$out[1].FORMSETFUN($type).$out[5];
error_log("after 7",0);
flush();
$formexists=1;
  };
error_log("after formset",0);
flush();
"""

It gets to "after 7" and then dies. If the 'while' is changed to an 'if', the problem exhibits itself on subsequent calls to ereg() further down.

PHP is configured to use the system RE libs, so I'm wondering if the problem might be in there. Nonetheless, I'm putting it in the PHP bug list so I can be sure.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-30 12:57 UTC] ignacio at openservices dot net
Hmm... configured with '--with-regex=php' and it works fine now. Oh well. Time to dig through the source and send Red Hat a bug report I suppose.
 [2002-07-10 14:24 UTC] estelle at megaphone dot ch
Solaris 8, php 4.1.2, apache 1.3.26 (dso). Recompiled PHP --with-regex=php : problem still here.
httpd child takes 100% CPU on the ereg function.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 03:01:27 2024 UTC