php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75863 test case ext/mbstring/tests/mb_ereg.phpt crashs on s390x
Submitted: 2018-01-23 17:56 UTC Modified: -
From: samding at ca dot ibm dot com Assigned:
Status: Open Package: Reproducible crash
PHP Version: 7.2.1 OS: RHEL 7.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
14 - 1 = ?
Subscribe to this entry?

 
 [2018-01-23 17:56 UTC] samding at ca dot ibm dot com
Description:
------------
Run test cases : 
   ext/mbstring/tests/mb_ereg.phpt
   ext/mbstring/tests/mb_ereg_variation5.phpt
got crashed on s390x (or other Big_Endian platforms). 

The gdb backtrack is follows: (macro STATE_CHECK_VAL & STATE_CHECK_POS are replaced)

(gdb) l
2476    //      STATE_CHECK_VAL(scv, mem);
2477     do {
2478      if (state_check_buff != NULL) {
2479    //    int x = STATE_CHECK_POS(s,mem);
2480        int x = (((s) - str) * num_comb_exp_check + ((mem) - 1));
2481        (scv) = state_check_buff[x/8] & (1<<(x%8));
2482      }
2483      else (scv) = 0;
2484    } while(0);
2485
(gdb) bt
#0  0x00000000803aa344 in match_at (reg=0x815a3650,
    str=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, end=0x3fffb602573 "", right_range=0x3fffb602573 "",
    sstart=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, sprev=0x3fffb60256d "\244\357\244\361\244", <incomplete sequence \363>, msa=0x3ffffffb110)
    at /home/work/php/php/ext/mbstring/oniguruma/src/regexec.c:2481
#1  0x00000000803b0b00 in onig_search (reg=0x815a3650,
    str=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, end=0x3fffb602573 "",
    start=0x3fffb602558 "\243\341\243\342\243\343 \244\242\244\252\244\244 \244\253\244\263\244\312 \244\357\244\361\244", <incomplete sequence \363>, range=0x3fffb602573 "", region=0x815a3310, option=0) at /home/work/php/php/ext/mbstring/oniguruma/src/regexec.c:3664
#2  0x0000000080419d2c in _php_mb_regex_ereg_exec (execute_data=0x3fffb61c3b0, return_value=0x3fffb61c2c0, icase=0)
    at /home/work/php/php/ext/mbstring/php_mbregex.c:750
#3  0x0000000080419f0a in zif_mb_ereg (execute_data=0x3fffb61c3b0, return_value=0x3fffb61c2c0)
    at /home/work/php/php/ext/mbstring/php_mbregex.c:786
#4  0x000000008094b9f4 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x3fffb61c1d0)
    at /home/work/php/php/Zend/zend_vm_execute.h:617
#5  0x0000000080ab5204 in execute_ex (ex=0x3fffb61c030) at /home/work/php/php/Zend/zend_vm_execute.h:59726
#6  0x0000000080ab57b8 in zend_execute (op_array=0x3fffb67c2a0, return_value=0x0) at /home/work/php/php/Zend/zend_vm_execute.h:63763
#7  0x00000000808917c6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/work/php/php/Zend/zend.c:1496
#8  0x00000000807b75b4 in php_execute_script (primary_file=0x3ffffffee18) at /home/work/php/php/main/main.c:2590
#9  0x0000000080ab9e0e in do_cli (argc=2, argv=0x8145ace0) at /home/work/php/php/sapi/cli/php_cli.c:1011
#10 0x0000000080abb076 in main (argc=2, argv=0x8145ace0) at /home/work/php/php/sapi/cli/php_cli.c:1404


Test script:
---------------
on php_src home folder,

gdb sapi/cli/php
r ext/mbstring/tests/mb_ereg.phpt

Actual result:
--------------
crashed at 

2481        (scv) = state_check_buff[x/8] & (1<<(x%8));

(gdb) p x
$1 = 196680
(gdb) p x/8
$2 = 24585

It is out of array state_check_buff boundary. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-24 15:24 UTC] samding at ca dot ibm dot com
"mem" come from macro

 553 #define GET_STATE_CHECK_NUM_INC(num,p)  PLATFORM_GET_INC(num, p, StateCheckNumType)

    191 #define PLATFORM_GET_INC(val,p,type) do{\
    192   val  = *(type* )p;\
    193   (p) += sizeof(type);\
    194 } while(0)
Note "type" (StateCheckNumType) is defined as "short", while "mem" is int, 
so "    193   (p) += sizeof(type);\" causes the issue on Big_Endian platforms.

The solution: change "StateCheckNumType" as "int".
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Aug 20 22:01:30 2019 UTC