From: Ryan_Hollister at eloyalty dot net
Operating system: Windows XP 32bit
PHP version: 5.3SVN-2009-12-18 (snap)
PHP Bug Type: *Regular Expressions
Bug description: Apache/PHP5.3.1 causes stack overflow when executing
preg_match_all
Description:
------------
I have a regular expression that would not crash APACHE/PHP in PHP 5.2.8
but now that I have upgraded to PHP 5.3.1 it is unable to execute the
code.
Clearly from the dump there is a stack overflow. My reason for pointing
toward a bug is that 1) it executed fine in 5.2.8 and 2) It only fails on
certain strings.
Some other notes:
1) It executes and completes fine if it is run command line.
2) If I set the PCRE.backtrack_limit = 1100 it will complete fine.
Certainly neither of these options are resolutions to my problem as I run
a webserver using APACHE and I need the backtrack_limit to be much higher
than 1100 bytes.
Reproduce code:
---------------
$Pattern = "/\b(?!((yellow mellow)|(help you)|(uh? -? ?huh)|(that('s| is)
(ok|fine|back))))((?<!['-])(?!_TONES_)[\w'-]+(
(?<!['-])(?!_TONES_)[\w'-]+)+) ?( \8)+[ \Z]/i";
//Below is a bad subject
$Subject = "hello and and and thank you Sam and for your protection would
you mind seeking the last four digits of your Social Security number OK
thank you very much a company that OK _TONES_ right OK is that all it says
is that has any other type of message _TONES_ and and and right well what I
can do is I can connect us with a member of our service team and then maybe
they can take a look into and set a little bit of life here for us uh right
now they it it does is all uh interrelated uh yes you know you were in
points but the card I know I we do have a visa rewards number that give you
if you ever want to check how many points he did have or see what you can
do with those the two run shot that down okay it's one eight hundred for
one nine here is the own here is he rock you know it's tried them Tony Pete
DuPont holding for just a brief moment I'll connect us with our service
came here my pleasure and make a row that they see a gun good have a
account number five HP nine nine days three zero account for Angeles and
then and found she said she's having difficulty using her card said never
works which tries to use that and it had an ATM this one or maybe you some
questions after the figure out what the problem might be sure she's a
verifiable vaccination can the salmon per share your patients there I've
connected you with Annika with their service team she's going to Piazza and
my pleasure";
//Below is a good subject
//$Subject = "hello ryan ryan ryan for calling Merrill Lynch my name is
Robert protest may have your name please have rightly its attention to see
Alabama one streak to locate I'm I'm looking to use it is uh hum Merrill
Lynch branched off to work in South Holland for world financial center well
as an apprentice at eight p.m. and I went there to take a money out of my
case I spoke to someone yesterday said I could take I catch that my money
market account because liquid account but that whenever I I ever try to
take a money and what it says can I complete this chance action that's all
it says and then these intelligent kick out of my check and they said that
there's no I know there's no money that machine that's why so that but and
and OK also not know the quick western ideas that time is linked to my
checking account it doesn't give viewpoints for anything is it wanted well
just opened up a separate account for about you know you get points to it
said plane ticket it's and and and and and OK well and and and it the and
and to the OK and yeah please _TONES_ _TONES_ _TONES_ OK oh and and thank
you so much right there and and _TONES_ _TONES_ _TONES_ thank you for
calling Merrill Lynch this is any guide how math helped heal could hurt for
years the in one minute now comes mean to speak with these authorization
for women to take a look at the it's not very quickly as to whether or not
that's something we need to do and then I can go ahead with worshipers
their side OK great no problem and yes and OK thanks thank you so much
offense and you can";
$Matches = array();
$MatchCount = preg_match_all($Pattern, $Subject, $Matches,
PREG_OFFSET_CAPTURE);
echo ($MatchCount);
echo (print_r($Matches, true));
Expected result:
----------------
I expect the "Bad Subject" to complete execution and return an empty
array.
You can comment out the "Bad Subject" and try the "Good Subject" to see
the proper execution of the regex.
NOTE: In the stack trace below I have removed a significant amount of the
repeating traces in the middle.
Actual result:
--------------
Thread 57 - System ID 3896
Entry point msvcrt!_endthreadex+3a
Create time 12/18/2009 9:48:32 AM
Time spent in user mode 0 Days 0:0:0.0
Time spent in kernel mode 0 Days 0:0:0.15
Function Arg 1 Arg 2 Arg 3 Source
php5ts!match+6 022bd395 011a3768 022bcf47
php5ts!match+578a 022bd395 011a3763 022bcf47
php5ts!match+56ae 022bd395 011a37ca 022bcf47
php5ts!match+6b19 022bd38d 011a37ca 022bcf47
php5ts!match+578a 022bd38d 011a3763 022bcf47
php5ts!match+56ae 022bd38d 011a37ca 022bcf47
php5ts!match+6b19 022bd387 011a37ca 022bcf47
php5ts!match+578a 022bd387 011a3763 022bcf47
php5ts!match+56ae 022bd387 011a37ca 022bcf47
php5ts!match+6b19 022bd382 011a37ca 022bcf47
php5ts!match+578a 022bd382 011a3763 022bcf47
php5ts!match+56ae 022bd382 011a37ca 022bcf47
php5ts!match+6b19 022bd37b 011a37ca 022bcf47
php5ts!match+578a 022bd37b 011a3763 022bcf47
php5ts!match+56ae 022bd37b 011a37ca 022bcf47
php5ts!match+6b19 022bd376 011a37ca 022bcf47
php5ts!match+578a 022bd376 011a3763 022bcf47
php5ts!match+56ae 022bd376 011a37ca 022bcf47
php5ts!match+6b19 022bd372 011a37ca 022bcf47
php5ts!match+578a 022bd372 011a3763 022bcf47
php5ts!match+56ae 022bd372 011a37ca 022bcf47
php5ts!match+6b19 022bd368 011a37ca 022bcf47
php5ts!match+578a 022bd368 011a3763 022bcf47
php5ts!match+56ae 022bd368 011a37ca 022bcf47
php5ts!match+6b19 022bd363 011a37ca 022bcf47
php5ts!match+578a 022bd363 011a3763 022bcf47
php5ts!match+56ae 022bd363 011a37ca 022bcf47
php5ts!match+6b19 022bd35d 011a37ca 022bcf47
php5ts!match+578a 022bd35d 011a3763 022bcf47
php5ts!match+56ae 022bd35d 011a37ca 022bcf47
php5ts!match+6b19 022bd354 011a37ca 022bcf47
~~~~~~MANY REPEATS REMOVED HERE~~~~~~~ ~~~~~~ ~~~~~~ ~~~~~~~
php5ts!match+6b19 022bcf58 011a37ca 022bcf47
php5ts!match+578a 022bcf58 011a3763 022bcf47
php5ts!match+56ae 022bcf58 011a37ca 022bcf47
php5ts!match+6b19 022bcf52 011a37ca 022bcf47
php5ts!match+578a 022bcf52 011a3763 022bcf47
php5ts!match+56ae 022bcf52 011a37ca 022bcf47
php5ts!match+6b19 022bcf4e 011a37ca 022bcf47
php5ts!match+578a 022bcf4e 011a3763 022bcf47
php5ts!match+56ae 022bcf4e 011a37ca 022bcf47
php5ts!match+6b19 022bcf4a 011a37ca 022bcf47
php5ts!match+578a 022bcf4a 011a3763 022bcf47
php5ts!match+6b19 022bcf47 011a3763 022bcf47
php5ts!match+578a 022bcf47 011a36fe 022bcf47
php5ts!php_pcre_exec+a64 011a3620 0206fa98 022bce48
php5ts!php_pcre_match_impl+250 011a3838 022bce48 00000578
php5ts!php_do_pcre_match+db 00000578 022bd448 00000000
php5ts!zif_preg_match_all+25 00000004 022bd448 00000000
php5ts!zend_do_fcall_common_helper_SPEC+94e 00000000 022f0080
0111eb18
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+130 0206fbf8 0111eb18
0206fe74
php5ts!execute+2fb 022f0080 0111eb00 00000000
php5ts!zend_execute_scripts+f6 00000008 0111eb18 00000000
php5ts!php_execute_script+245 0206fe74 0111eb18 00000005
php5apache2_2!php_handler+5d0 01116b58 0072da80 01116b58
libhttpd!ap_run_handler+21 01116b58 01116b58 01116b58
libhttpd!ap_invoke_handler+ae 00000000 01111b00 0206ff38
libhttpd!ap_die+29e 01116b58 00000000 0072e1d0
libhttpd!ap_get_request_note+1c9c 01111b00 01111b00
01111b00
libhttpd!ap_run_process_connection+21 01111b00 00674e50
0206ff80
libhttpd!ap_process_connection+33 01111b00 0110aad0
00ec0040
libhttpd!ap_regkey_value_remove+c7c 01111af8 00ec0040
00e80000
msvcrt!_endthreadex+a9 011086f8 00ec0040 00e80000
kernel32!BaseThreadStart+37 77c3a341 011086f8 00000000
PHP5TS!MATCH+6In
httpd__PID__4032__Date__12_18_2009__Time_09_49_29AM__241__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!match+6 in C:\Program
Files\PHP53\php5ts.dll from The PHP Group has caused a stack overflow
exception (0xC00000FD) when trying to write to memory location 0x02032f2c
on thread 57
--
Edit bug report at http://bugs.php.net/?id=50518&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=50518&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=50518&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=50518&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=50518&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=50518&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=50518&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=50518&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=50518&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=50518&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=50518&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=50518&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=50518&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=50518&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=50518&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50518&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=50518&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=50518&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=50518&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=50518&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=50518&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=50518&r=mysqlcfg
