From: jan at horde dot org
Operating system: Linux
PHP version: 5.2.0RC4
PHP Bug Type: Reproducible crash
Bug description: Segfault in preg_replace_impl
Description:
------------
Using preg_replace to parse and process email address in certain email
message headers causes reproducable segfaults. Unfortunately these don't
happen in a stripped down preg_replace call, but only in the context of a
larger application. I was able to get a backtrace though that might be
helpful:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210352992 (LWP 32029)]
0xb75f8ca7 in preg_replace_impl (ht=<value optimized out>,
return_value=0xb6560604, return_value_ptr=<value optimized out>,
this_ptr=0x0, return_value_used=1, is_callable_replace=0 '\0')
at /home/jan/software/php-5.2.0RC4/ext/pcre/php_pcre.c:1307
1307
switch(zend_hash_get_current_key(Z_ARRVAL_PP(subject), &string_key,
&num_key, 0))
(gdb) bt
#0 0xb75f8ca7 in preg_replace_impl (ht=<value optimized out>,
return_value=0xb6560604, return_value_ptr=<value optimized out>,
this_ptr=0x0, return_value_used=1, is_callable_replace=0 '\0')
at /home/jan/software/php-5.2.0RC4/ext/pcre/php_pcre.c:1307
#1 0xb78c0b6c in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf8090)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:200
#2 0xb78b3fbd in execute (op_array=0xb651143c)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#3 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf8560)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#4 0xb78b3fbd in execute (op_array=0xb659a668)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#5 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf8860)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#6 0xb78b3fbd in execute (op_array=0xb659b664)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#7 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf8e40)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#8 0xb78b3fbd in execute (op_array=0xb65d7868)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#9 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf8fa0)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#10 0xb78b3fbd in execute (op_array=0xb65d7798)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#11 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf9850)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#12 0xb78b3fbd in execute (op_array=0xb66171b8)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#13 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfaf9ab0)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#14 0xb78b3fbd in execute (op_array=0xb65d7934)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#15 0xb78c05eb in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfb00890)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:234
#16 0xb78b3fbd in execute (op_array=0xb6eb227c)
at /home/jan/software/php-5.2.0RC4/Zend/zend_vm_execute.h:92
#17 0xb7898bb7 in zend_execute_scripts (type=8, retval=<value optimized
out>,
file_count=3) at /home/jan/software/php-5.2.0RC4/Zend/zend.c:1096
#18 0xb785b112 in php_execute_script (primary_file=0xbfb02bbc)
at /home/jan/software/php-5.2.0RC4/main/main.c:1759
#19 0xb790f73f in apache_php_module_main (r=0x80d4434,
display_source_mode=0)
at /home/jan/software/php-5.2.0RC4/sapi/apache/sapi_apache.c:53
#20 0xb79106d8 in send_php (r=0x80d4434, display_source_mode=0,
filename=0x0)
at /home/jan/software/php-5.2.0RC4/sapi/apache/mod_php5.c:665
#21 0xb7910926 in send_parsed_php (r=0x80d4434)
at /home/jan/software/php-5.2.0RC4/sapi/apache/mod_php5.c:680
#22 0x0806bd77 in ap_invoke_handler ()
#23 0x080823d9 in process_request_internal ()
#24 0x08082436 in ap_process_request ()
#25 0x08078b16 in child_main ()
#26 0x08078d4d in make_child ()
#27 0x08078ebd in startup_children ()
#28 0x0807958a in standalone_main ()
#29 0x08079e50 in main ()
The segfault happens in PHP 4 too.
--
Edit bug report at http://bugs.php.net/?id=39016&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=39016&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=39016&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=39016&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39016&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=39016&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=39016&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=39016&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=39016&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=39016&r=support
Expected behavior: http://bugs.php.net/fix.php?id=39016&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=39016&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=39016&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39016&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39016&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39016&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=39016&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=39016&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=39016&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=39016&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=39016&r=mysqlcfg
