From: Operating system: Linux PHP version: 5.3.5 Package: PCRE related Bug Type: Bug Bug description:preg_replace overflow segfault
Description: ------------ When preg_replace'ing a pattern which occurs a lot in a subject, php will SIGSEGV. With the test script php fails at Iteration 2236. It seems only to occur with a pattern like '(x)+'. Where X can be anything. FreeBSD (8.1) has no issues with the test script. I found a relevant bug: http://bugs.php.net/bug.php?id=36507 , but I find it akward the internal pcre library still has the bug. Test script: --------------- <?php $string = ""; $newstring = ""; for ($i=0;$i<10240;$i++) { echo "Iteration $i\n"; $string .= 'x'; $newstring = $string; $newstring = preg_replace("/(x)+/","",$newstring); echo "$string - $newstring \n"; } ?> Expected result: ---------------- Run to inifity and beyond as long as the loop loops. Actual result: -------------- A snippet of the backtrace: #0 match (eptr=0x8b61e49 "", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4474) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:627 #1 0x080c8469 in match (eptr=0x8b61e49 "", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4473) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623 #2 0x080c6793 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4472) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803 #3 0x080c8469 in match (eptr=0x8b61e48 "x", ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=4471) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623 --snip-- #4473 0x080c8469 in match (eptr=0x8b6158d 'x' <repeats 200 times>..., ecode=0x8b8aeba "V", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=4, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=1) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:1623 #4474 0x080c6793 in match (eptr=0x8b6158c 'x' <repeats 200 times>..., ecode=0x8b8aeb3 "_", mstart=0x8b6158c 'x' <repeats 200 times>..., markptr=0x0, offset_top=2, md=0xbfde5de8, ims=0, eptrb=0x0, flags=0, rdepth=0) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:803 #4475 0x080d8dbe in php_pcre_exec (argument_re=0x8b8ae88, extra_data=0xbfde5f64, subject=0x8b6158c 'x' <repeats 200 times>..., length=2237, start_offset=0, options=0, offsets=0x8b5b48c, offsetcount=6) at /root/compile/php-5.3.5/ext/pcre/pcrelib/pcre_exec.c:6064 #4476 0x080def1d in php_pcre_replace_impl (pce=0x8bcb0a8, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1052 #4477 0x080ded1d in php_pcre_replace (regex=0x8b5f028 "/(x)+/", regex_len=6, subject=0x8b6158c 'x' <repeats 200 times>..., subject_len=2237, replace_val=0x8b5ef54, is_callable_replace=0, result_len=0xbfde6158, limit=-1, replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:962 #4478 0x080dfa5c in php_replace_in_subject (regex=0x8b5f104, replace=0x8b5ef54, subject=0x8b8b16c, result_len=0xbfde6158, limit=-1, is_callable_replace=0, replace_count=0xbfde6144) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1279 #4479 0x080e0447 in preg_replace_impl (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, is_callable_replace=0, is_filter=0) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1377 #4480 0x080e052d in zif_preg_replace (ht=3, return_value=0x8b5ef14, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/compile/php-5.3.5/ext/pcre/php_pcre.c:1397 #4481 0x084afafb in zend_do_fcall_common_helper_SPEC (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:316 #4482 0x084b4537 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x8b8b030) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:1606 #4483 0x084aef98 in execute (op_array=0x8b5e2c8) at /root/compile/php-5.3.5/Zend/zend_vm_execute.h:107 #4484 0x08487c63 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/compile/php-5.3.5/Zend/zend.c:1194 #4485 0x084272f3 in php_execute_script (primary_file=0xbfde86d4) at /root/compile/php-5.3.5/main/main.c:2265 #4486 0x08547ba6 in main (argc=2, argv=0xbfde8834) at /root/compile/php-5.3.5/sapi/cli/php_cli.c:1193 -- Edit bug report at http://bugs.php.net/bug.php?id=53953&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=53953&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=53953&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=53953&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=53953&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=53953&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=53953&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=53953&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=53953&r=needscript Try newer version: http://bugs.php.net/fix.php?id=53953&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=53953&r=support Expected behavior: http://bugs.php.net/fix.php?id=53953&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=53953&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=53953&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=53953&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53953&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=53953&r=dst IIS Stability: http://bugs.php.net/fix.php?id=53953&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=53953&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=53953&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=53953&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=53953&r=mysqlcfg