ID: 39016 Updated by: [EMAIL PROTECTED] Reported By: jan at horde dot org -Status: Open +Status: Assigned Bug Type: PCRE related Operating System: Linux PHP Version: 5.2.0RC4 -Assigned To: +Assigned To: andrei New Comment:
Andrei, please take a look at this. Looks like yet another stack overflow in PCRE.. Previous Comments: ------------------------------------------------------------------------ [2006-10-02 15:51:41] jan at horde dot org (gdb) p subject $1 = (zval **) 0xb6f019e0 (gdb) p **subject Cannot access memory at address 0x1 (gdb) p string_key $2 = 0x10 <Address 0x10 out of bounds> (gdb) p num_key $3 = 1 ------------------------------------------------------------------------ [2006-10-02 15:48:34] [EMAIL PROTECTED] What do you get in GDB with p subject p **subject p string_key p num_key ? ------------------------------------------------------------------------ [2006-10-02 15:41:08] jan at horde dot org I didn't try a snapshot since this happens with PHP 4, so I guess it's an older issue that simply hasn't been triggered yet. Here's the valgrind log: ==32185== Address 0xBEDDDD32 is on thread 1's stack ==32185== ==32185== Invalid read of size 4 ==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307) ==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== Address 0x1 is not stack'd, malloc'd or (recently) free'd ==32185== ==32185== Process terminating with default action of signal 11 (SIGSEGV) ==32185== Access not within mapped region at address 0x1 ==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307) ==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:200) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ==32185== by 0x475AFBC: execute (zend_vm_execute.h:92) ==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:234) ------------------------------------------------------------------------ [2006-10-02 15:36:50] jan at horde dot org I should add the lines of code that caused this, right? :) $regexp = <<<EOR / # Version 1: mailto: links with any valid email characters. # Pattern 1: Outlook parenthesizes in sqare brackets (\[\s*)? # Pattern 2: mailto: protocol prefix (mailto:\s?) # Pattern 3: email address ([^\s\?"<]*) # Pattern 4 to 6: Optional parameters ((\?)([^\s"<]*[\w+#?\/&=]))? # Pattern 7: Closing Outlook square bracket ((?(1)\s*\])) | # Version 2 Pattern 8: simple email addresses. ([EMAIL PROTECTED]) # Pattern 9 to 11: Optional parameters ((\?)([^\s"<]*[\w+#?\/&=]))? /eix EOR; preg_replace($regexp, 'Text_Filter_emails::callback(\'' . $tag . '\', \'' . $class . '\', \'$1\', \'$2\', \'$3\', \'$4\', \'$6\', \'$7\', \'$8\', \'$9\', \'$11\')', 'a long list of email addresses etc.') The regexp part that causes the problem, i.e. that no longer segfaults if removed is the pattern #8. ------------------------------------------------------------------------ [2006-10-02 15:34:34] [EMAIL PROTECTED] Did you try fresh snapshots? Do you see anything interesting with valgrind? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/39016 -- Edit this bug report at http://bugs.php.net/?id=39016&edit=1