#27070 [NEW]: preg_match() crashes Apache on VERY SIMPLE pattern but large subject size

[pages at inrp dot fr]

From:             pages at inrp dot fr
Operating system: Fedora Core 1 (Linux)
PHP version:      5.0.0b3 (beta3)
PHP Bug Type:     Reproducible crash
Bug description:  preg_match() crashes Apache on VERY SIMPLE pattern but large subject 
size

Description:
------------
After running the script bellow, /var/log/httpd/error_log
says:

 [Wed Jan 28 00:19:30 2004] [notice] child pid 13744 exit signal
Segmentation fault (11)

It has been tested on 3 different system :
 - Red Hat 8.0 + Apache 2.0.40 + PHP 4.2.2
 - Red Hat 9 + Apache 2.0.40 + PHP 4.2.2
 - Fedora Core 1 + Apache 2.0.48 + 5.0.0b3

Some statistics :
  - with pattern "/(a)*/", it crashes with a subject
    length > 13800
  - with pattern "/((a))*/", it crashes with a subject
    length > 9200
  - with pattern "/(((a)))*/", it crashes with a subject
    length > 6900
  - with pattern "/((((a))))*/", it crashes with a subject
    length > 5600
  - with pattern "/(((((a)))))*/", it crashes with a
    subject length > 4600
  - with pattern "/((((((a))))))*/", it crashes with a
    subject length > 4000
  - etc...


Reproduce code:
---------------
<?php
# This script crashes Apache :

$subject = str_repeat("a",13800);
preg_match("/(a)*/",$subject);
echo "OK";

# NB: The length of $subject (here 13800) may depend on
# your system. It seems to be related to the memory_limit
# directive (mine is 8M) but not in the way that
# one would expect (it doesn't seem to be something
# like "If I give more memory, then I need a larger
# subject to crash Apache").
# It doesn't crash if I use the pattern "/a*/" instead
# of "/(a)*/".
?>


Expected result:
----------------
No crash

Actual result:
--------------
Crash :-(

-- 
Edit bug report at http://bugs.php.net/?id=27070&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=27070&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=27070&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=27070&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=27070&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=27070&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=27070&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=27070&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=27070&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=27070&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=27070&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=27070&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=27070&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27070&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=27070&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=27070&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=27070&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27070&r=float