#49729 [Bgs]: Segfault in PHP 5.3 inside preg_replace

kendallb at amainhobbies dot com Thu, 01 Oct 2009 09:49:49 -0700

 ID:               49729
 User updated by:  kendallb at amainhobbies dot com
 Reported By:      kendallb at amainhobbies dot com
 Status:           Bogus
 Bug Type:         Reproducible crash
 Operating System: Mac OS 10.6.1
 PHP Version:      5.3.0
 New Comment:


Have tested it on Windows and it also fails. We tested on Linux with an
older PHP 5.1.x and it succeeded, but we have not tested PHP 5.3.0 on
Linux.

This also crashes but should not:

  preg_match('/(.)+/', str_repeat('x', 6000));

Removing the grouping parenthesis causes it not to crash.


Previous Comments:
------------------------------------------------------------------------

[2009-10-01 16:06:45] j...@php.net

See bug #47689

------------------------------------------------------------------------

[2009-10-01 11:13:14] sjo...@php.net

Could reproduce with PHP 5.3 rev 288893, MacOS X 10.5.8.

(gdb) r
Starting program: /Users/sjoerd/Sources/php-src-5.3/sapi/cli/php -e -f
/Volumes/sjoerd-nfs/public_html/svnreps/test/a.php
Reading symbols for shared libraries ++++++++++....... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xbf7ffa7c
0x00058fed in match (eptr=0x976eca " OF BULLSHIT!!!\n  THIS"...,
ecode=0xaf07ae "_", mstart=0x976404 "'\n  THIS"..., offset_top=4,
md=0xbfffeacc, ims=0, eptrb=0x0, flags=0, rdepth=5515) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:432
432     {
(gdb) bt
....
....
....
#5513 0x0005ad96 in match (eptr=0x976406 "  THIS"..., ecode=0xaf07c3
"V", mstart=0x976404 "'\n  THIS"..., offset_top=4, md=0xbfffeacc, ims=0,
eptrb=0x0, flags=0, rdepth=2) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:1361
#5514 0x00059664 in match (eptr=0x976405 "\n  THIS"..., ecode=0xaf07be
"T", mstart=0x976404 "'\n  THIS"..., offset_top=2, md=0xbfffeacc, ims=0,
eptrb=0x0, flags=0, rdepth=1) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:720
#5515 0x0005a87d in match (eptr=0x976405 "\n  THIS"..., ecode=0xaf07ad
"g_", mstart=0x976404 "'\n  THIS"..., offset_top=2, md=0xbfffeacc,
ims=0, eptrb=0x0, flags=0, rdepth=0) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:1224
#5516 0x00066e97 in php_pcre_exec (argument_re=0xaf0780,
extra_data=0xbfffec3c, subject=0x976404 "'\n  THIS"..., length=6075,
start_offset=0, options=0, offsets=0x972530, offsetcount=6) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:4895
#5517 0x0006d5d6 in php_pcre_replace_impl (pce=0xaf07d0,
subject=0x976404 "'\n  THIS"..., subject_len=6075, replace_val=0x972344,
is_callable_replace=0, result_len=0xbfffee5c, limit=-1,
replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1040
#5518 0x0006d346 in php_pcre_replace (regex=0x972438
"/'(\\\\'|\\\\{2}|[^'])*'/", regex_len=21, subject=0x976404 "'\n 
THIS"..., subject_len=6075, replace_val=0x972344, is_callable_replace=0,
result_len=0xbfffee5c, limit=-1, replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:950
#5519 0x0006e347 in php_replace_in_subject (regex=0x9723f8,
replace=0x972344, subject=0xc0012c, result_len=0xbfffee5c, limit=-1,
is_callable_replace=0, replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1267
#5520 0x0006eeff in preg_replace_impl (ht=3, return_value=0x9723b8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
is_callable_replace=0, is_filter=0) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1367
#5521 0x0006f00a in zif_preg_replace (ht=3, return_value=0x9723b8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1387
#5522 0x0045efd9 in zend_do_fcall_common_helper_SPEC
(execute_data=0xc00040) at zend_vm_execute.h:313
#5523 0x004645d9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xc00040) at zend_vm_execute.h:1602
#5524 0x0045e112 in execute (op_array=0x9719f0) at
zend_vm_execute.h:104
#5525 0x0042ee7e in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /Users/sjoerd/Sources/php-src-5.3/Zend/zend.c:1188
#5526 0x003b3321 in php_execute_script (primary_file=0xbffff7fc) at
/Users/sjoerd/Sources/php-src-5.3/main/main.c:2214
#5527 0x00507e5f in main (argc=4, argv=0xbffff8f0) at
/Users/sjoerd/Sources/php-src-5.3/sapi/cli/php_cli.c:1190
(gdb) 



------------------------------------------------------------------------

[2009-10-01 10:37:43] f...@php.net

Not reproducible on Linux x86, so maybe Mac only.

------------------------------------------------------------------------

[2009-10-01 02:00:38] kendallb at amainhobbies dot com

Description:
------------
The following code causes a crash in PHP 5.3.0 (or 5.2.10) as supplied
by Zend Studio 7. It also causes a crash in PHP 5.3.0 as compiled by
MacPorts, so it appears to be a generic bug. 

Reproduce code:
---------------
<?php
/**
 * Cause a segfault in PHP 5.3.0
 */

$html = "
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
";

$sql = "'" . $html . "'";

$preg = "/'(\\\\'|\\\\{2}|[^'])*'/";

$sql = preg_replace($preg, 'replace', $sql);

echo $sql;


Expected result:
----------------
replace

Actual result:
--------------
Segmentation fault.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49729&edit=1

#49729 [Bgs]: Segfault in PHP 5.3 inside preg_replace

Reply via email to