[pcre-dev] [Bug 1347] New: Deep recursion causing SegFault

BenBE Sun, 14 Apr 2013 19:42:53 -0700

------- You are receiving this mail because: -------
You are on the CC list for the bug.


http://bugs.exim.org/show_bug.cgi?id=1347
           Summary: Deep recursion causing SegFault
           Product: PCRE
           Version: 8.30
          Platform: x86-64
               URL: http://qbnz.com/
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: high
         Component: Code
        AssignedTo: [email protected]
        ReportedBy: [email protected]
                CC: [email protected]


Created an attachment (id=620)
 --> (http://bugs.exim.org/attachment.cgi?id=620)
Sample interface script

For a website using Syntax Highlighting based on GeSHi 1.0.X there's a
reproduceable crash for certain inputs that causes a Segfault while the
highlighting is performed. To reproduce the following things are needed:

- The Source from http://upaste.me/raw/172156204acbac74 (Code to be
Highlighted, save alongside example.php from attachment)
- A small GeSHi interface trying to highlight the above code (Place into
directory where geshi.php is)
- GeSHi 1.0.X branch (SVN trunk or latest release will do)

When running the above PHP script you get a plain stack overflow crash
reproduceably within milliseconds.

Unfortunately I couldn't extract the exact PCRE expression being matched when
the crash happens.

What I COULD locate roughly is this stack trace just before the recursion:
---
Breakpoint 1, php_pcre_replace_impl (pce=0x0, 
    subject=0x116ff80 " typedef enum JOBTYPE {\n  JT_NOVICE =  0x0,\n 
JT_SWORDMAN =  0x1,\n  JT_MAGICIAN =  0x2,\n  JT_ARCHER =  0x3,\n  JT_ACOLYTE =
 0x4,\n  JT_MERCHANT =  0x5,\n  JT_THIEF =  0x6,\n  JT_KNIGHT =  0x7,\n 
JT_PRIES"..., subject_len=-1, replace_val=0x7fffffffa884,
is_callable_replace=0, result_len=0x473b77 <preg_replace_impl.isra.9+775>,
limit=0, replace_count=0x7fffdfd9e910) at
/build/buildd/php5-5.4.6/ext/pcre/php_pcre.c:972
972     in /build/buildd/php5-5.4.6/ext/pcre/php_pcre.c
(gdb) bt
#0  php_pcre_replace_impl (pce=0x0, 
    subject=0x116ff80 " typedef enum JOBTYPE {\n  JT_NOVICE =  0x0,\n 
JT_SWORDMAN =  0x1,\n  JT_MAGICIAN =  0x2,\n  JT_ARCHER =  0x3,\n  JT_ACOLYTE =
 0x4,\n  JT_MERCHANT =  0x5,\n  JT_THIEF =  0x6,\n  JT_KNIGHT =  0x7,\n 
JT_PRIES"..., subject_len=-1, replace_val=0x7fffffffa884,
is_callable_replace=0, result_len=0x473b77 <preg_replace_impl.isra.9+775>,
limit=0, replace_count=0x7fffdfd9e910) at
/build/buildd/php5-5.4.6/ext/pcre/php_pcre.c:972
#1  0x00000000004735b3 in php_replace_in_subject (regex=0x7fffdfd68ff8,
replace=0x7fffdfd69328, subject=0x7ffff7f96b78, result_len=0x7fffffffa880,
limit=32767, is_callable_replace=-539557024, 
    replace_count=0x473b77 <preg_replace_impl.isra.9+775>) at
/build/buildd/php5-5.4.6/ext/pcre/php_pcre.c:1281
#2  0x0000000000473b77 in preg_replace_impl.isra.9 (ht=3,
return_value=0x7fffdfd68e60, is_callable_replace=0, is_filter=0) at
/build/buildd/php5-5.4.6/ext/pcre/php_pcre.c:1379
#3  0x0000000000760282 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff7f92768) at
/build/buildd/php5-5.4.6/Zend/zend_vm_execute.h:642
#4  0x0000000000719ac7 in execute (op_array=0x7fffdfda7bf8) at
/build/buildd/php5-5.4.6/Zend/zend_vm_execute.h:410
#5  0x00000000006b98fc in zend_execute_scripts (type=-134491440,
retval=0x300000008, file_count=32767) at
/build/buildd/php5-5.4.6/Zend/zend.c:1289
#6  0x0000000000658d13 in php_execute_script (primary_file=0x7fff00000001) at
/build/buildd/php5-5.4.6/main/main.c:2473
#7  0x00000000007628b3 in do_cli (argc=0, argv=0x7fffffffe538) at
/build/buildd/php5-5.4.6/sapi/cli/php_cli.c:988
#8  0x000000000042c460 in main (argc=32767, argv=0xdfe230) at
/build/buildd/php5-5.4.6/sapi/cli/php_cli.c:1364
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d996ab in match (
    eptr=0x1132949 "TOMB =  0x235,\n  JT_4_MYSTCASE =  0x236,\n 
JT_4_M_SIT_NOVICE =  0x237,\n  JT_4_OCTOPUS_LEG =  0x238,\n  JT_4_F_NURSE = 
0x239,\n  JT_4_MAL_SOLDIER =  0x23a,\n  JT_4_MAL_CAPTAIN =  0x23b,\n 
JT_4_MAL_BUDIDA"..., 
    ecode=0x11b07c9 "}", 
    mstart=0x112ff97 "0x0,\n  JT_SWORDMAN =  0x1,\n  JT_MAGICIAN =  0x2,\n 
JT_ARCHER =  0x3,\n  JT_ACOLYTE =  0x4,\n  JT_MERCHANT =  0x5,\n  JT_THIEF = 
0x6,\n  JT_KNIGHT =  0x7,\n  JT_PRIEST =  0x8,\n  JT_WIZARD =  0x9,\n 
JT_BLAC"..., offset_top=4, md=0x7fffffffa4d0, eptrb=0x0, rdepth=10674) at
pcre_exec.c:1044
1044    pcre_exec.c: File or directory not found.
---

For more information and assistance with debugging this issue feel free to
contact me.


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

[pcre-dev] [Bug 1347] New: Deep recursion causing SegFault

Reply via email to