Your message dated Thu, 23 Sep 2010 08:49:55 +0200
with message-id <[email protected]>
and subject line Bug fixed in Squeeze
has caused the Debian Bug report #429927,
regarding Reproducible stack overflow in PCRE 6.7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
429927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpcre3
Version: 6.7-1
Severity: normal
description:
------------
Located an apparent bug in the PCRE library.
Reproducible if slightly random crash (stack overflow) occurs when using
regex's with certain hex strings on longish (and random) strings.
The length of the string directly relates to the chance of a segfault, and the
segfault only occurs with certain ranges of hex strings (specifically, ONLY
over x7A and ONLY with text strings of exactly 4843 bytes or longer).
Note that using the regex /^([\x00-\x7A])*$/ causes a segfault, whereas
/^([\x00-\x71])*$/ or /^([\x00-\x79])*$/ does not.
I have submitted the bug to PHP already to confirm it was not a PHP handling of
PCRE issue: http://bugs.php.net/41749
I am using 2.6.18-4-amd64 #1 SMP x86_64 GNU/Linux with libc 2.3.6.ds1-13 and
PHP 5.2.0 (all latest stable Debian 4.0).
reproduce code:
---------------
(please excuse the PHP - this is what I was working in when I encountered the
issue)
<?php
/* the length of the string determines the chance of a segfault. */
$strlen = 4846; /* almost total segfault, roughly 100% segfaults*/
//$strlen = 4845; /* almost always segfault, roughly 95% segfaults */
//$strlen = 4844; /* mostly segfault, roughly 80% segfaults */
//$strlen = 4843; /* regularly segfault, roughly 30% segfaults */
//$strlen = 4842; /* run without error, roughly 0% segfaults */
$alphabet = range('a', 'z'); /* range of lowercase letters */
$str = null; /* generate the random string */
for($i = 0; $i < $strlen; $i++) { $str .= $alphabet[rand(0,25)]; }
/* perform our regex of doom */
$result = preg_match('/^([\x00-\x7A])*$/', $str);
/* spam our (what should be) boolean result */
var_dump($result);
?>
expected result:
----------------
int(0) or int(1)
actual result:
--------------
Segmentation fault (core dumped)
when running in gdb:
This GDB was configured as "x86_64-linux-gnu"...(no debugging symbolsfound)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run test.php
Starting program: /usr/bin/php test.php
(no debugging symbols found)
[snip - lots of these]
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 47782002024432 (LWP 11134)]
(no debugging symbols found)
[snip - lots of these]
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47782002024432 (LWP 11134)]
0x00002b751be871a8 in pcre_dfa_exec () from /usr/lib/libpcre.so.3
fix:
----
I suggest that libpcre3 be upgraded to 7.1 or 7.2 where this overflow is not
present (6.7-1 is the only available version in stable, testing or unstable).
Thanks for your time.
Regards,
Joe Harris
Senior Developer
eMomentum Limited
--- End Message ---
--- Begin Message ---
Version: 8.02-1.1
$ cat test.php
<?php
/* the length of the string determines the chance of a segfault. */
$strlen = 4846; /* almost total segfault, roughly 100% segfaults*/
//$strlen = 4845; /* almost always segfault, roughly 95% segfaults */
//$strlen = 4844; /* mostly segfault, roughly 80% segfaults */
//$strlen = 4843; /* regularly segfault, roughly 30% segfaults */
//$strlen = 4842; /* run without error, roughly 0% segfaults */
$alphabet = range('a', 'z'); /* range of lowercase letters */
$str = null; /* generate the random string */
for($i = 0; $i < $strlen; $i++) { $str .= $alphabet[rand(0,25)]; }
/* perform our regex of doom */
$result = preg_match('/^([\x00-\x7A])*$/', $str);
/* spam our (what should be) boolean result */
var_dump($result);
?>
$ for u in `seq 10000`; do php5 test.php||echo failed; done|uniq -c
10000 int(1)
--
Stéphane
--- End Message ---
