#30552 [Opn->Bgs]: Apache Crash with a regular expression

[sniper]

 ID:               30552
 Updated by:       [EMAIL PROTECTED]
 Reported By:      cristic at interaktonline dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Apache2 related
 Operating System: Windows XP Home Edition
 PHP Version:      4.3.9
 New Comment:

Not PHP bug. (PCRE has limitations..)



Previous Comments:
------------------------------------------------------------------------

[2004-11-10 09:18:45] cmarin at interaktonline dot com

I'm back:

The bug appears to have a memory allocation issue when tries to split
the string. A work around is the use of the 's' modifier.

The following RegExp having the same results works:

'/^(\s|\n|\r)*select.*limit\s+-?[0-9]+(\s|\n|\r)*(,(
\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/ims'

------------------------------------------------------------------------

[2004-10-25 16:31:44] cristic at interaktonline dot com

Description:
------------
Crashing configurations:

Apache 2.0.50
with PHP 4.3.7, 4.3.8, 4.3.9
or 
Apache 2.0.48
with PHP 4.3.6
OS Win XP Home Edition

The code below is not crashing with PHP 4.3.7, 4.3.8 or 4.3.9 and
Apache 1.3.31 same OS.

Reproduce code:
---------------
<?php 
$sql = "SELECT sur_survey_ssr.id_ssr,sur_survey_ssr.name_ssr,
sur_survey_ssr.welcome_ssr,sur_survey_ssr.thankyou_ssr,
sur_survey_ssr.footer_ssr,sur_survey_ssr.header_ssr,
sur_survey_ssr.startdate_ssr,sur_survey_ssr.enddate_ssr,
sur_survey_ssr.url_ssr,sur_survey_ssr.active_ssr, count(s2.id_srs) as
responses, count(s1.id_srs) as test FROM sur_survey_ssr  LEFT JOIN
sur_response_srs s2 ON id_ssr=s2.idssr_srs LEFT JOIN sur_response_srs
s1 ON id_ssr=s1.idssr_srs AND s1.test_srs=1 WHERE 1=1 GROUP BY
sur_survey_ssr.id_ssr ORDER BY startdate_ssr DESC";

if
(preg_match('/^(\s|\n|\r)*select(.|\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im',
$sql, $matches)){
        die('a');
}else{
        die('b');
}
?>

Expected result:
----------------
- The regular expression should match any string which start with
'SELECT' SQL keyword and ending with a LIMIT SQL condition.


Actual result:
--------------
- When this specific string is specified, contained into the $sql
variable, the apache process is crashing.

- Backtracking the problem I found out that the following regular
expression is stop crashing the Web Server:

'/^(\s|\n|\r)*select(\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im'

- the crash appears immediate, its not an infinite loop





------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=30552&edit=1