ID: 50518
Updated by: paj...@php.net
Reported By: Ryan_Hollister at eloyalty dot net
-Status: Open
+Status: Bogus
Bug Type: *Regular Expressions
Operating System: Windows XP 32bit
PHP Version: 5.3SVN-2009-12-18 (snap)
New Comment:
Not a php problem. See bug #47689 about how to "fix" apache.
Previous Comments:
------------------------------------------------------------------------
[2009-12-18 15:58:48] Ryan_Hollister at eloyalty dot net
Description:
------------
I have a regular expression that would not crash APACHE/PHP in PHP
5.2.8 but now that I have upgraded to PHP 5.3.1 it is unable to execute
the code.
Clearly from the dump there is a stack overflow. My reason for pointing
toward a bug is that 1) it executed fine in 5.2.8 and 2) It only fails
on certain strings.
Some other notes:
1) It executes and completes fine if it is run command line.
2) If I set the PCRE.backtrack_limit = 1100 it will complete fine.
Certainly neither of these options are resolutions to my problem as I
run a webserver using APACHE and I need the backtrack_limit to be much
higher than 1100 bytes.
Reproduce code:
---------------
$Pattern = "/\b(?!((yellow mellow)|(help you)|(uh? -? ?huh)|(that('s|
is) (ok|fine|back))))((?<!['-])(?!_TONES_)[\w'-]+(
(?<!['-])(?!_TONES_)[\w'-]+)+) ?( \8)+[ \Z]/i";
//Below is a bad subject
$Subject = "hello and and and thank you Sam and for your protection
would you mind seeking the last four digits of your Social Security
number OK thank you very much a company that OK _TONES_ right OK is that
all it says is that has any other type of message _TONES_ and and and
right well what I can do is I can connect us with a member of our
service team and then maybe they can take a look into and set a little
bit of life here for us uh right now they it it does is all uh
interrelated uh yes you know you were in points but the card I know I we
do have a visa rewards number that give you if you ever want to check
how many points he did have or see what you can do with those the two
run shot that down okay it's one eight hundred for one nine here is the
own here is he rock you know it's tried them Tony Pete DuPont holding
for just a brief moment I'll connect us with our service came here my
pleasure and make a row that they see a gun good have a account number
five HP nine nine days three zero account for Angeles and then and found
she said she's having difficulty using her card said never works which
tries to use that and it had an ATM this one or maybe you some questions
after the figure out what the problem might be sure she's a verifiable
vaccination can the salmon per share your patients there I've connected
you with Annika with their service team she's going to Piazza and my
pleasure";
//Below is a good subject
//$Subject = "hello ryan ryan ryan for calling Merrill Lynch my name is
Robert protest may have your name please have rightly its attention to
see Alabama one streak to locate I'm I'm looking to use it is uh hum
Merrill Lynch branched off to work in South Holland for world financial
center well as an apprentice at eight p.m. and I went there to take a
money out of my case I spoke to someone yesterday said I could take I
catch that my money market account because liquid account but that
whenever I I ever try to take a money and what it says can I complete
this chance action that's all it says and then these intelligent kick
out of my check and they said that there's no I know there's no money
that machine that's why so that but and and OK also not know the quick
western ideas that time is linked to my checking account it doesn't give
viewpoints for anything is it wanted well just opened up a separate
account for about you know you get points to it said plane ticket it's
and and and and and OK well and and and it the and and to the OK and
yeah please _TONES_ _TONES_ _TONES_ OK oh and and thank you so much
right there and and _TONES_ _TONES_ _TONES_ thank you for calling
Merrill Lynch this is any guide how math helped heal could hurt for
years the in one minute now comes mean to speak with these authorization
for women to take a look at the it's not very quickly as to whether or
not that's something we need to do and then I can go ahead with
worshipers their side OK great no problem and yes and OK thanks thank
you so much offense and you can";
$Matches = array();
$MatchCount = preg_match_all($Pattern, $Subject, $Matches,
PREG_OFFSET_CAPTURE);
echo ($MatchCount);
echo (print_r($Matches, true));
Expected result:
----------------
I expect the "Bad Subject" to complete execution and return an empty
array.
You can comment out the "Bad Subject" and try the "Good Subject" to see
the proper execution of the regex.
NOTE: In the stack trace below I have removed a significant amount of
the repeating traces in the middle.
Actual result:
--------------
Thread 57 - System ID 3896
Entry point msvcrt!_endthreadex+3a
Create time 12/18/2009 9:48:32 AM
Time spent in user mode 0 Days 0:0:0.0
Time spent in kernel mode 0 Days 0:0:0.15
Function Arg 1 Arg 2 Arg 3 Source
php5ts!match+6 022bd395 011a3768 022bcf47
php5ts!match+578a 022bd395 011a3763 022bcf47
php5ts!match+56ae 022bd395 011a37ca 022bcf47
php5ts!match+6b19 022bd38d 011a37ca 022bcf47
php5ts!match+578a 022bd38d 011a3763 022bcf47
php5ts!match+56ae 022bd38d 011a37ca 022bcf47
php5ts!match+6b19 022bd387 011a37ca 022bcf47
php5ts!match+578a 022bd387 011a3763 022bcf47
php5ts!match+56ae 022bd387 011a37ca 022bcf47
php5ts!match+6b19 022bd382 011a37ca 022bcf47
php5ts!match+578a 022bd382 011a3763 022bcf47
php5ts!match+56ae 022bd382 011a37ca 022bcf47
php5ts!match+6b19 022bd37b 011a37ca 022bcf47
php5ts!match+578a 022bd37b 011a3763 022bcf47
php5ts!match+56ae 022bd37b 011a37ca 022bcf47
php5ts!match+6b19 022bd376 011a37ca 022bcf47
php5ts!match+578a 022bd376 011a3763 022bcf47
php5ts!match+56ae 022bd376 011a37ca 022bcf47
php5ts!match+6b19 022bd372 011a37ca 022bcf47
php5ts!match+578a 022bd372 011a3763 022bcf47
php5ts!match+56ae 022bd372 011a37ca 022bcf47
php5ts!match+6b19 022bd368 011a37ca 022bcf47
php5ts!match+578a 022bd368 011a3763 022bcf47
php5ts!match+56ae 022bd368 011a37ca 022bcf47
php5ts!match+6b19 022bd363 011a37ca 022bcf47
php5ts!match+578a 022bd363 011a3763 022bcf47
php5ts!match+56ae 022bd363 011a37ca 022bcf47
php5ts!match+6b19 022bd35d 011a37ca 022bcf47
php5ts!match+578a 022bd35d 011a3763 022bcf47
php5ts!match+56ae 022bd35d 011a37ca 022bcf47
php5ts!match+6b19 022bd354 011a37ca 022bcf47
~~~~~~MANY REPEATS REMOVED HERE~~~~~~~ ~~~~~~ ~~~~~~ ~~~~~~~
php5ts!match+6b19 022bcf58 011a37ca 022bcf47
php5ts!match+578a 022bcf58 011a3763 022bcf47
php5ts!match+56ae 022bcf58 011a37ca 022bcf47
php5ts!match+6b19 022bcf52 011a37ca 022bcf47
php5ts!match+578a 022bcf52 011a3763 022bcf47
php5ts!match+56ae 022bcf52 011a37ca 022bcf47
php5ts!match+6b19 022bcf4e 011a37ca 022bcf47
php5ts!match+578a 022bcf4e 011a3763 022bcf47
php5ts!match+56ae 022bcf4e 011a37ca 022bcf47
php5ts!match+6b19 022bcf4a 011a37ca 022bcf47
php5ts!match+578a 022bcf4a 011a3763 022bcf47
php5ts!match+6b19 022bcf47 011a3763 022bcf47
php5ts!match+578a 022bcf47 011a36fe 022bcf47
php5ts!php_pcre_exec+a64 011a3620 0206fa98 022bce48
php5ts!php_pcre_match_impl+250 011a3838 022bce48 00000578
php5ts!php_do_pcre_match+db 00000578 022bd448 00000000
php5ts!zif_preg_match_all+25 00000004 022bd448 00000000
php5ts!zend_do_fcall_common_helper_SPEC+94e 00000000 022f0080
0111eb18
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+130 0206fbf8 0111eb18
0206fe74
php5ts!execute+2fb 022f0080 0111eb00 00000000
php5ts!zend_execute_scripts+f6 00000008 0111eb18 00000000
php5ts!php_execute_script+245 0206fe74 0111eb18 00000005
php5apache2_2!php_handler+5d0 01116b58 0072da80 01116b58
libhttpd!ap_run_handler+21 01116b58 01116b58 01116b58
libhttpd!ap_invoke_handler+ae 00000000 01111b00 0206ff38
libhttpd!ap_die+29e 01116b58 00000000 0072e1d0
libhttpd!ap_get_request_note+1c9c 01111b00 01111b00
01111b00
libhttpd!ap_run_process_connection+21 01111b00 00674e50
0206ff80
libhttpd!ap_process_connection+33 01111b00 0110aad0
00ec0040
libhttpd!ap_regkey_value_remove+c7c 01111af8 00ec0040
00e80000
msvcrt!_endthreadex+a9 011086f8 00ec0040 00e80000
kernel32!BaseThreadStart+37 77c3a341 011086f8 00000000
PHP5TS!MATCH+6In
httpd__PID__4032__Date__12_18_2009__Time_09_49_29AM__241__Second_Chance_Exception_C00000FD.dmp
the assembly instruction at php5ts!match+6 in C:\Program
Files\PHP53\php5ts.dll from The PHP Group has caused a stack overflow
exception (0xC00000FD) when trying to write to memory location
0x02032f2c on thread 57
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50518&edit=1
