ID: 39016
Updated by: [EMAIL PROTECTED]
Reported By: jan at horde dot org
-Status: Open
+Status: Assigned
Bug Type: PCRE related
Operating System: Linux
PHP Version: 5.2.0RC4
-Assigned To:
+Assigned To: andrei
New Comment:
Andrei, please take a look at this.
Looks like yet another stack overflow in PCRE..
Previous Comments:
------------------------------------------------------------------------
[2006-10-02 15:51:41] jan at horde dot org
(gdb) p subject
$1 = (zval **) 0xb6f019e0
(gdb) p **subject
Cannot access memory at address 0x1
(gdb) p string_key
$2 = 0x10 <Address 0x10 out of bounds>
(gdb) p num_key
$3 = 1
------------------------------------------------------------------------
[2006-10-02 15:48:34] [EMAIL PROTECTED]
What do you get in GDB with
p subject
p **subject
p string_key
p num_key
?
------------------------------------------------------------------------
[2006-10-02 15:41:08] jan at horde dot org
I didn't try a snapshot since this happens with PHP 4, so I guess it's
an older issue that simply hasn't been triggered yet.
Here's the valgrind log:
==32185== Address 0xBEDDDD32 is on thread 1's stack
==32185==
==32185== Invalid read of size 4
==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==32185==
==32185== Process terminating with default action of signal 11
(SIGSEGV)
==32185== Access not within mapped region at address 0x1
==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
------------------------------------------------------------------------
[2006-10-02 15:36:50] jan at horde dot org
I should add the lines of code that caused this, right? :)
$regexp = <<<EOR
/
# Version 1: mailto: links with any valid email characters.
# Pattern 1: Outlook parenthesizes in sqare brackets
(\[\s*)?
# Pattern 2: mailto: protocol prefix
(mailto:\s?)
# Pattern 3: email address
([^\s\?"<]*)
# Pattern 4 to 6: Optional parameters
((\?)([^\s"<]*[\w+#?\/&=]))?
# Pattern 7: Closing Outlook square bracket
((?(1)\s*\]))
|
# Version 2 Pattern 8: simple email addresses.
([EMAIL PROTECTED])
# Pattern 9 to 11: Optional parameters
((\?)([^\s"<]*[\w+#?\/&=]))?
/eix
EOR;
preg_replace($regexp,
'Text_Filter_emails::callback(\'' . $tag . '\', \'' .
$class . '\', \'$1\', \'$2\', \'$3\', \'$4\', \'$6\', \'$7\', \'$8\',
\'$9\', \'$11\')',
'a long list of email addresses etc.')
The regexp part that causes the problem, i.e. that no longer segfaults
if removed is the pattern #8.
------------------------------------------------------------------------
[2006-10-02 15:34:34] [EMAIL PROTECTED]
Did you try fresh snapshots?
Do you see anything interesting with valgrind?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/39016
--
Edit this bug report at http://bugs.php.net/?id=39016&edit=1
