[PHP-BUG] Bug #63829 [NEW]: Apache stack overflow on PCRE subpatterns

[a...@php.net]

From:             ab
Operating system: Windows
PHP version:      Irrelevant
Package:          PCRE related
Bug Type:         Bug
Bug description:Apache stack overflow on PCRE subpatterns

Description:
------------
Running the test ext/pcre/tests/bug47662.phpt under Apache 2.2 or 2.4
causes the CRT error with the following message:

Unhandled exception at 0x01E3FC19 (php5ts_debug.dll) in httpd.exe:
0xC00000FD: Stack overflow (parameters: 0x00000001, 0x03CE2948).

This error seems to have been existed for a very long time. It happens not
only with the pcre ext lately upgraded to 8.31, but also with previous
version using PCRE 8.12 . It also happens in both release and debug builds.
Here is the backtrace delivered by VS

........................... a lot of match(...) calls
.....................
        php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char *
ecode, const unsigned char * mstart, int offset_top, match_data * md,
eptrblock * eptrb, unsigned int rdepth) Line 956        C
        php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char *
ecode, const unsigned char * mstart, int offset_top, match_data * md,
eptrblock * eptrb, unsigned int rdepth) Line 956        C
        php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char *
ecode, const unsigned char * mstart, int offset_top, match_data * md,
eptrblock * eptrb, unsigned int rdepth) Line 956        C
        php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char *
ecode, const unsigned char * mstart, int offset_top, match_data * md,
eptrblock * eptrb, unsigned int rdepth) Line 956        C
        php5ts_debug.dll!match(const unsigned char * eptr, const unsigned char *
ecode, const unsigned char * mstart, int offset_top, match_data * md,
eptrblock * eptrb, unsigned int rdepth) Line 956        C
        php5ts_debug.dll!php_pcre_exec(const real_pcre * argument_re, const
pcre_extra * extra_data, const char * subject, int length, int
start_offset, int options, int * offsets, int offsetcount) Line 6917    C
        php5ts_debug.dll!php_pcre_match_impl(pcre_cache_entry * pce, char *
subject, int subject_len, _zval_struct * return_value, _zval_struct *
subpats, int global, int use_flags, long flags, long start_offset, void * *
* tsrm_ls) Line 653     C
        php5ts_debug.dll!php_do_pcre_match(int ht, _zval_struct * return_value,
_zval_struct * * return_value_ptr, _zval_struct * this_ptr, int
return_value_used, void * * * tsrm_ls, int global) Line 547     C
        php5ts_debug.dll!zif_preg_match(int ht, _zval_struct * return_value,
_zval_struct * * return_value_ptr, _zval_struct * this_ptr, int
return_value_used, void * * * tsrm_ls) Line 798 C
        php5ts_debug.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data *
execute_data, void * * * tsrm_ls) Line 642      C
        php5ts_debug.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data *
execute_data, void * * * tsrm_ls) Line 2236     C
        php5ts_debug.dll!execute(_zend_op_array * op_array, void * * * tsrm_ls)
Line 410        C
        php5ts_debug.dll!zend_execute_scripts(int type, void * * * tsrm_ls,
_zval_struct * * retval, int file_count, ...) Line 1309 C
        php5ts_debug.dll!php_execute_script(_zend_file_handle * primary_file,
void * * * tsrm_ls) Line 2482   C
        php5apache2_2.dll!php_handler(request_rec * r) Line 667 C


Test script:
---------------
$regex = '@';
for($bar=0; $bar<4027; $bar++) {
        $regex .= '((?P<x' . $bar . '>))';
}
$regex .= 'fo+bar@';

var_dump(preg_match($regex, 'foobar', $m));

Expected result:
----------------
int(1)

Actual result:
--------------
An exception is thrown.

-- 
Edit bug report at https://bugs.php.net/bug.php?id=63829&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=63829&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=63829&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=63829&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=63829&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=63829&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=63829&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=63829&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=63829&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=63829&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=63829&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=63829&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=63829&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=63829&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63829&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=63829&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=63829&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=63829&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63829&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=63829&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=63829&r=mysqlcfg