Edit report at http://bugs.php.net/bug.php?id=54926&edit=1
ID: 54926
User updated by: wim at godden dot net
Reported by: wim at godden dot net
Summary: preg_match causes segfault with specific subject
Status: Open
Type: Bug
Package: PCRE related
Operating System: Solaris 10
PHP Version: 5.3.6
Block user comment: N
Private report: N
New Comment:
We discovered the cause... not due to PHP, but purely due to the fact
that PCRE doesn't respect PHP memory limits. The Apache installation was
running in worker MPM model, not in prefork model and that apparently
caused the issue.
We switched to prefork and everything works fine now.
Previous Comments:
------------------------------------------------------------------------
[2011-05-25 15:20:17] wim at godden dot net
Description:
------------
A customer page (system made in Drupal) was causing segfaults. After
much debugging, I found this line to cause it :
$contents = preg_replace('<
\s*([@{}:;,]|\)\s|\s\()\s* | # Remove whitespace around
separators, but keep space around parentheses.
/\*([^*\\\\]|\*(?!/))+\*/ | # Remove comments that are not CSS
hacks.
[\n\r] # Remove line breaks.
>x', '\1', $contents);
The $contents was a CSS file. After experimenting, it turns out that
opening a comment string (/*) followed by 1815 characters segfaults
Apache.
The same script runs perfectly fine when run from CLI, but segfaults on
Apache 2.2. It also runs well on several Linux environments tested.
Test script:
---------------
PHP-file :
<?php
$contents = file_get_contents('temp.css');
$contents = preg_replace('<
\s*([@{}:;,]|\)\s|\s\()\s* | # Remove whitespace around
separators, but keep space around parentheses.
/\*([^*\\\\]|\*(?!/))+\*/ | # Remove comments that are not CSS
hacks.
[\n\r] # Remove line breaks.
>x', '\1', $contents);
echo $contents;
CSS-file :
/*
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
Expected result:
----------------
string(1797)
"/*123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567
8901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345"
Actual result:
--------------
In Apache error log :
[notice] child pid 16531 exit signal Segmentation fault (11)
Backtrace is very hard to provide at this point, due to unavailability
of a 64bit gdb on Solaris 10.
Will try to add.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=54926&edit=1
