php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7509 Problem (buffer overflow?) with ereg()
Submitted: 2000-10-28 06:12 UTC Modified: 2000-10-30 12:57 UTC
From: ignacio at openservices dot net Assigned:
Status: Closed Package: Regexps related
PHP Version: 4.0 Latest CVS (28/10/2000) OS: Red Hat Linux 6.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
27 - 1 = ?
Subscribe to this entry?

 
 [2000-10-28 06:12 UTC] ignacio at openservices dot net
When I give ereg() a sufficiently complex RE, PHP seems to roll over and die or something the next time it calls ereg(). It has exhibited this behavior since 4.0.1pl2, when we first put the code in place.

Here's the code:

"""
  while (ereg("^((.|\n)*)<[[:space:]]*[Ff][Oo][Rr][Mm][Ss][Ee][Tt][[:space:]]*([Tt][Yy][Pp][Ee]=(\"[^\"]*\"|[^\">]*))?[[:space:]]*>((.|\n)*)$", $string, $out))
  {
error_log("after 1",0);
flush();
    if ($out[4][0]=="\"")
{
error_log("after 2",0);
flush();
      $type=substr($out[4], 1, -1);
error_log("after 3",0);
flush();
}
    else
{
error_log("after 4",0);
flush();
      $type=$out[4];
error_log("after 5",0);
flush();
};
error_log("after 6",0);
    $string=$out[1].FORMSETFUN($type).$out[5];
error_log("after 7",0);
flush();
$formexists=1;
  };
error_log("after formset",0);
flush();
"""

It gets to "after 7" and then dies. If the 'while' is changed to an 'if', the problem exhibits itself on subsequent calls to ereg() further down.

PHP is configured to use the system RE libs, so I'm wondering if the problem might be in there. Nonetheless, I'm putting it in the PHP bug list so I can be sure.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-30 12:57 UTC] ignacio at openservices dot net
Hmm... configured with '--with-regex=php' and it works fine now. Oh well. Time to dig through the source and send Red Hat a bug report I suppose.
 [2002-07-10 14:24 UTC] estelle at megaphone dot ch
Solaris 8, php 4.1.2, apache 1.3.26 (dso). Recompiled PHP --with-regex=php : problem still here.
httpd child takes 100% CPU on the ereg function.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 12:01:28 2024 UTC