#49729 [Ver->Bgs]: Segfault in PHP 5.3 inside preg_replace

jani Thu, 01 Oct 2009 09:06:58 -0700

 ID:               49729
 Updated by:       j...@php.net
 Reported By:      kendallb at amainhobbies dot com
-Status:           Verified
+Status:           Bogus
 Bug Type:         Reproducible crash
 Operating System: Mac OS 10.6.1
 PHP Version:      5.3.0
 New Comment:


See bug #47689


Previous Comments:
------------------------------------------------------------------------

[2009-10-01 11:13:14] sjo...@php.net

Could reproduce with PHP 5.3 rev 288893, MacOS X 10.5.8.

(gdb) r
Starting program: /Users/sjoerd/Sources/php-src-5.3/sapi/cli/php -e -f
/Volumes/sjoerd-nfs/public_html/svnreps/test/a.php
Reading symbols for shared libraries ++++++++++....... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xbf7ffa7c
0x00058fed in match (eptr=0x976eca " OF BULLSHIT!!!\n  THIS"...,
ecode=0xaf07ae "_", mstart=0x976404 "'\n  THIS"..., offset_top=4,
md=0xbfffeacc, ims=0, eptrb=0x0, flags=0, rdepth=5515) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:432
432     {
(gdb) bt
....
....
....
#5513 0x0005ad96 in match (eptr=0x976406 "  THIS"..., ecode=0xaf07c3
"V", mstart=0x976404 "'\n  THIS"..., offset_top=4, md=0xbfffeacc, ims=0,
eptrb=0x0, flags=0, rdepth=2) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:1361
#5514 0x00059664 in match (eptr=0x976405 "\n  THIS"..., ecode=0xaf07be
"T", mstart=0x976404 "'\n  THIS"..., offset_top=2, md=0xbfffeacc, ims=0,
eptrb=0x0, flags=0, rdepth=1) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:720
#5515 0x0005a87d in match (eptr=0x976405 "\n  THIS"..., ecode=0xaf07ad
"g_", mstart=0x976404 "'\n  THIS"..., offset_top=2, md=0xbfffeacc,
ims=0, eptrb=0x0, flags=0, rdepth=0) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:1224
#5516 0x00066e97 in php_pcre_exec (argument_re=0xaf0780,
extra_data=0xbfffec3c, subject=0x976404 "'\n  THIS"..., length=6075,
start_offset=0, options=0, offsets=0x972530, offsetcount=6) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/pcrelib/pcre_exec.c:4895
#5517 0x0006d5d6 in php_pcre_replace_impl (pce=0xaf07d0,
subject=0x976404 "'\n  THIS"..., subject_len=6075, replace_val=0x972344,
is_callable_replace=0, result_len=0xbfffee5c, limit=-1,
replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1040
#5518 0x0006d346 in php_pcre_replace (regex=0x972438
"/'(\\\\'|\\\\{2}|[^'])*'/", regex_len=21, subject=0x976404 "'\n 
THIS"..., subject_len=6075, replace_val=0x972344, is_callable_replace=0,
result_len=0xbfffee5c, limit=-1, replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:950
#5519 0x0006e347 in php_replace_in_subject (regex=0x9723f8,
replace=0x972344, subject=0xc0012c, result_len=0xbfffee5c, limit=-1,
is_callable_replace=0, replace_count=0xbfffee48) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1267
#5520 0x0006eeff in preg_replace_impl (ht=3, return_value=0x9723b8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1,
is_callable_replace=0, is_filter=0) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1367
#5521 0x0006f00a in zif_preg_replace (ht=3, return_value=0x9723b8,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at
/Users/sjoerd/Sources/php-src-5.3/ext/pcre/php_pcre.c:1387
#5522 0x0045efd9 in zend_do_fcall_common_helper_SPEC
(execute_data=0xc00040) at zend_vm_execute.h:313
#5523 0x004645d9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xc00040) at zend_vm_execute.h:1602
#5524 0x0045e112 in execute (op_array=0x9719f0) at
zend_vm_execute.h:104
#5525 0x0042ee7e in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /Users/sjoerd/Sources/php-src-5.3/Zend/zend.c:1188
#5526 0x003b3321 in php_execute_script (primary_file=0xbffff7fc) at
/Users/sjoerd/Sources/php-src-5.3/main/main.c:2214
#5527 0x00507e5f in main (argc=4, argv=0xbffff8f0) at
/Users/sjoerd/Sources/php-src-5.3/sapi/cli/php_cli.c:1190
(gdb) 



------------------------------------------------------------------------

[2009-10-01 10:37:43] f...@php.net

Not reproducible on Linux x86, so maybe Mac only.

------------------------------------------------------------------------

[2009-10-01 02:00:38] kendallb at amainhobbies dot com

Description:
------------
The following code causes a crash in PHP 5.3.0 (or 5.2.10) as supplied
by Zend Studio 7. It also causes a crash in PHP 5.3.0 as compiled by
MacPorts, so it appears to be a generic bug. 

Reproduce code:
---------------
<?php
/**
 * Cause a segfault in PHP 5.3.0
 */

$html = "
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
  THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!  
THIS IS A BUNCH OF BULLSHIT!!!   THIS IS A BUNCH OF BULLSHIT!!!
";

$sql = "'" . $html . "'";

$preg = "/'(\\\\'|\\\\{2}|[^'])*'/";

$sql = preg_replace($preg, 'replace', $sql);

echo $sql;


Expected result:
----------------
replace

Actual result:
--------------
Segmentation fault.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49729&edit=1

#49729 [Ver->Bgs]: Segfault in PHP 5.3 inside preg_replace

Reply via email to