From: tafkad at web dot de Operating system: Linux Debian Lenny PHP version: 5.2.9 PHP Bug Type: PCRE related Bug description: Segmentation fault during many preg_matches
Description: ------------ I use a class(phpcc) to transform a searchstring into an SQL where clause. If it has many options like brackets or operators or if it is a very long string php ends in a segmentation fault. I've tested it with two php version 5.2.6 and 5.2.9. I use the cli version. I've created a test script with a for loop that generates a simple searchstatement with 2000 searchterms. If I run this script it crash. When I'll decrase the amount of searchterms to 1000 it will run clean. GDB shows preg_match as last execute, thats why I think there must be an error. The script uses a very huge amount of memory(I've configured php.ini with 1024M). php.ini changes from against default(debian) max_execution_time = 30000 ; 30 ; Maximum execution time of each script, in seconds max_input_time = 60000 ; 60 ; Maximum amount of time each script may spend parsing request data ;max_input_nesting_level = 64 ; Maximum input variable nesting level memory_limit = 1024M ; 32M ; Maximum amount of memory a script may consume (32MB) Active modules (php -m) [PHP Modules] bcmath,bz2,calendar,ctype,curl,date,dba,dbase,dom,exif,ffmpeg,filter,ftp,gd,gettext,hash,iconv,json,libxml,mbstring,mime_magic,mysql,mysqli,ncurses,openssl,pcntl,pcre,PDO,pdo_mysql,posix,readline,Reflection,session,shmop,SimpleXML,soap,sockets,SPL,standard,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,wddx,xml,xmlreader,xmlwriter,zip,zlib Reproduce code: --------------- Code is to long. Under http://paste.root-zone.info/debug.tar.gz is a dir with the class and an testscript. Expected result: ---------------- Before the script can finish, php crashes. Actual result: -------------- #23 0x00000000004783db in match (eptr=0x0, ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x200000000 <Address 0x200000000 out of bounds>, offset_top=32767, md=0x0, ims=15, eptrb=0x47a157, flags=0, rdepth=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:1184 #24 0x000000000047a157 in match (eptr=0x1 <Address 0x1 out of bounds>, ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x200000000 <Address 0x200000000 out of bounds>, offset_top=32767, md=0x0, ims=3, eptrb=0x4803f4, flags=0, rdepth=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:714 #25 0x00000000004803f4 in match (eptr=0x2ed1fe5 "", ecode=0x107108e8 "'TESTSTR00001160' or OR_ID = 'TESTSTR00001161' or OR_ID = 'TESTSTR00001162' or OR_ID = 'TESTSTR00001163' or OR_ID = 'TESTSTR00001164' or OR_ID = 'TESTSTR00001165' or OR_ID = 'TESTSTR00001166' or OR_ID"..., mstart=0x27c2b71e0 <Address 0x27c2b71e0 out of bounds>, offset_top=32767, md=0x0, ims=45889320, eptrb=0x481f97, flags=0, rdepth=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:2035 #26 0x0000000000481f97 in php_pcre_exec (argument_re=0x10716821, extra_data=0x2ed2016, subject=0x20 <Address 0x20 out of bounds>, length=275843303, start_offset=0, options=275843304, offsets=0x488020, offsetcount=275614368) at /usr/src/php5/source/php5-5.2.9/ext/pcre/pcrelib/pcre_exec.c:4844 #27 0x0000000000488020 in php_pcre_match_impl (pce=0x107108e8, subject=0x5f390048662f <Address 0x5f390048662f out of bounds>, subject_len=0, return_value=0x10718550, subpats=0xc106f7fd0, global=0, use_flags=4753947, flags=0, start_offset=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/php_pcre.c:621 #28 0x0000000000488a1b in php_do_pcre_match (ht=3, return_value=0x106f7fd0, return_value_ptr=0x7fff7c2b31a0, this_ptr=0x7fff7c2b31b0, return_value_used=2083222224, global=0) at /usr/src/php5/source/php5-5.2.9/ext/pcre/php_pcre.c:513 #29 0x00000000006c01ad in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b7b60) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:200 #30 0x00000000006ac6a4 in execute (op_array=0x2be9420) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92 #31 0x00000000006bfabe in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b8410) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:234 #32 0x00000000006ac6a4 in execute (op_array=0x2bbd4e8) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92 #33 0x00000000006bfabe in zend_do_fcall_common_helper_SPEC (execute_data=0x7fff7c2b9110) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:234 #34 0x00000000006ac6a4 in execute (op_array=0x2be08b8) at /usr/src/php5/source/php5-5.2.9/Zend/zend_vm_execute.h:92 -- Edit bug report at http://bugs.php.net/?id=47907&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47907&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47907&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47907&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47907&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47907&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47907&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47907&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47907&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47907&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47907&r=support Expected behavior: http://bugs.php.net/fix.php?id=47907&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47907&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47907&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47907&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47907&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47907&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47907&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47907&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47907&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47907&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47907&r=mysqlcfg