#43301 [Opn-Csd]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression
ID: 43301 Updated by: [EMAIL PROTECTED] Reported By: yoy dot noneoff at dfgh dot net -Status: Open +Status: Closed Bug Type: mbstring related Operating System: win xp sp2 PHP Version: 5.3CVS-2007-11-15 (CVS) New Comment: This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: [2007-11-16 11:55:15] [EMAIL PROTECTED] Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in /home/jani/t.php(8) : mbregex replace on line 1 Program received signal SIGSEGV, Segmentation fault. 0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 /home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35) at /home/jani/src/php-5.3/Zend/zend_variables.c:35 35 CHECK_ZVAL_STRING_REL(zvalue); (gdb) bt #0 0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 /home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35) at /home/jani/src/php-5.3/Zend/zend_variables.c:35 #1 0x082ee134 in _zval_dtor (zvalue=0xbfe4782c, __zend_filename=0x85d6198 /home/jani/src/php-5.3/Zend/zend_operators.c, __zend_lineno=599) at /home/jani/src/php-5.3/Zend/zend_variables.h:35 #2 0x082eed13 in _convert_to_string (op=0xbfe4782c, __zend_filename=0x85858cc /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c, __zend_lineno=742) at /home/jani/src/php-5.3/Zend/zend_operators.c:599 #3 0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, options=0) at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742 #4 0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788 #5 0x0831ea96 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:194 #6 0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439 #7 0x0831e59a in execute (op_array=0x8ae2e7c) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:87 #8 0x082f76c6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139 #9 0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at /home/jani/src/php-5.3/main/main.c:2007 #10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1140 [2007-11-16 04:18:39] yoy dot noneoff at dfgh dot net Function Arg 1 Arg 2 Arg 3 Source php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004 0112c838 php_mbstring!zif_mb_ereg_replace+25 0004 0112c838 php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50 0112c28b php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f 00033f50 00033f50 php5ts!execute+1b7 0112c298 00033f50 php5ts!zend_execute_scripts+107 0008 00033f50 php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e php!main+c0e 0002 00032cc0 00032f38 php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000 kernel32!RegisterWaitForInputIdle+49 00402c12 [2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net correct Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo mb_ereg_replace($ptr,'$1',$txt,'e'); ? [2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net Description: php crash on mbstring(php_mbstring.dll) when runnign as CGI. 'e' flag/option and $replacement parameter contian php-expression with syntax error. problem not present when php loaded as module(Apache) Parse error is thrown. applay on the latest php 5.3 and also on php 5.2 Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo C($ptr,'$1',$txt,'e'); ? Expected result: see Parse Error, similer to php loaded as module. Actual result: -- crash error AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll ModVer: 5.3.0.0 Offset: 00031595 -- Edit this bug report at http://bugs.php.net/?id=43301edit=1
#43301 [Opn-Csd]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression
ID: 43301
Updated by: [EMAIL PROTECTED]
Reported By: yoy dot noneoff at dfgh dot net
-Status: Open
+Status: Closed
Bug Type: mbstring related
Operating System: win xp sp2
PHP Version: 5.3CVS-2007-11-15 (CVS)
New Comment:
Those are expected and unfortunate side-effects and happen also if you
do same using pcre.
Previous Comments:
[2007-11-16 19:14:29] yoy dot noneoff at dfgh dot net
the crash issue is indeed gone but two new problems appear
I download the latest package, and I notice that now there is 2 errors
raised
PHP Parse error
and
PHP Fatal error
prob 1: the rest of script execution stop
I also think the PHP Fatal error is NOT required , in addition its a
security risk.
for example
mb_ereg_replace('ptr','scriptalert(\'are you sure\')/script','text
with ptr','e')
return:
PHP Parse error: syntax error, unexpected '' in test.php: mbregex
replace on line 1
PHP Fatal error: mb_ereg_replace(): Failed evaluating code:
scriptalert('are you sure')/script in test.php on line 3
[2007-11-16 12:29:42] [EMAIL PROTECTED]
This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
[2007-11-16 11:55:15] [EMAIL PROTECTED]
Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE
or '$' in /home/jani/t.php(8) : mbregex replace on line 1
Program received signal SIGSEGV, Segmentation fault.
0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
/home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35)
at /home/jani/src/php-5.3/Zend/zend_variables.c:35
35 CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt
#0 0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
/home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35)
at /home/jani/src/php-5.3/Zend/zend_variables.c:35
#1 0x082ee134 in _zval_dtor (zvalue=0xbfe4782c,
__zend_filename=0x85d6198
/home/jani/src/php-5.3/Zend/zend_operators.c, __zend_lineno=599)
at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#2 0x082eed13 in _convert_to_string (op=0xbfe4782c,
__zend_filename=0x85858cc
/home/jani/src/php-5.3/ext/mbstring/php_mbregex.c, __zend_lineno=742)
at /home/jani/src/php-5.3/Zend/zend_operators.c:599
#3 0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4,
return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, options=0)
at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742
#4 0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788
#5 0x0831ea96 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:194
#6 0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439
#7 0x0831e59a in execute (op_array=0x8ae2e7c) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:87
#8 0x082f76c6 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139
#9 0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at
/home/jani/src/php-5.3/main/main.c:2007
#10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at
/home/jani/src/php-5.3/sapi/cli/php_cli.c:1140
[2007-11-16 04:18:39] yoy dot noneoff at dfgh dot net
Function Arg 1 Arg 2 Arg 3 Source
php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004
0112c838
php_mbstring!zif_mb_ereg_replace+25 0004 0112c838
php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50
0112c28b
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f 00033f50
00033f50
php5ts!execute+1b7 0112c298 00033f50
php5ts!zend_execute_scripts+107 0008 00033f50
php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e
php!main+c0e 0002 00032cc0 00032f38
php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000
kernel32!RegisterWaitForInputIdle+49 00402c12
[2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net
correct Reproduce code:
---
?php
$ptr = 'hello';
$txt = doc
hello, I have got a cr*sh on you
doc;
echo mb_ereg_replace($ptr,'$1',$txt,'e');
?
