------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1617 Summary: Segmentation fault in preg_match() with PHP 5.6.8/5.5.24 Product: PCRE Version: N/A Platform: x86-64 OS/Version: Linux Status: NEW Severity: bug Priority: low Component: Code AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] Please ask if you need more information or details. poc.php: <?php $pattern = file_get_contents($argv[1]); preg_match($pattern, 'henri', $matches, PREG_OFFSET_CAPTURE, 3); ?> echo "$(cat afl-php-001)"; ./build/php/5.6.8/bin/php -v; ./build/php/5.6.8/bin/php poc.php afl-php-001 ((?1)+()(())())*()) PHP 5.6.8 (cli) (built: Apr 17 2015 09:28:04) Copyright (c) 1997-2015 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies Segmentation fault (gdb) run poc.php afl-php-001 Starting program: /home/fgeek/build/php/5.6.8/bin/php poc.php afl-php-001 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00000000005a6d5c in first_significant_code (skipassert=1, code=0x1dba9d9 "u") at /home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:1648 1648 switch ((int)*code) (gdb) bt full #0 0x00000000005a6d5c in first_significant_code (skipassert=1, code=0x1dba9d9 "u") at /home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:1648 No locals. #1 could_be_empty_branch (code=0x1dba9d6 "\201", endcode=0x1dbaa0e "", utf=0, cd=0x7fffffff92f0, recurses=0x0) at /home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:2343 c = <optimized out> this_recurse = <error reading variable this_recurse (Cannot access memory at address 0x7fffff7fefe8)> #2 0x0000000000000000 in ?? () No symbol table info available. (gdb) list 1643 static const pcre_uchar* 1644 first_significant_code(const pcre_uchar *code, BOOL skipassert) 1645 { 1646 for (;;) 1647 { 1648 switch ((int)*code) 1649 { 1650 case OP_ASSERT_NOT: 1651 case OP_ASSERTBACK: 1652 case OP_ASSERTBACK_NOT: fgeek@sid:~$ valgrind ./build/php/5.6.8/bin/php poc.php afl-php-001 ==12892== Memcheck, a memory error detector ==12892== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==12892== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==12892== Command: ./build/php/5.6.8/bin/php poc.php afl-php-001 ==12892== ==12892== Stack overflow in thread 1: can't grow stack to 0xffe801ff8 ==12892== ==12892== Process terminating with default action of signal 11 (SIGSEGV) ==12892== Access not within mapped region at address 0xFFE801FF8 ==12892== at 0x5A6CED: could_be_empty_branch (pcre_compile.c:2339) ==12892== If you believe this happened as a result of a stack ==12892== overflow in your program's main thread (unlikely but ==12892== possible), you can try to increase the size of the ==12892== main thread stack using the --main-stacksize= flag. ==12892== The main thread stack size used in this run was 8388608. ==12892== Stack overflow in thread 1: can't grow stack to 0xffe801ff0 ==12892== ==12892== Process terminating with default action of signal 11 (SIGSEGV) ==12892== Access not within mapped region at address 0xFFE801FF0 ==12892== at 0x4A236C0: _vgnU_freeres (vg_preloaded.c:58) ==12892== If you believe this happened as a result of a stack ==12892== overflow in your program's main thread (unlikely but ==12892== possible), you can try to increase the size of the ==12892== main thread stack using the --main-stacksize= flag. ==12892== The main thread stack size used in this run was 8388608. ==12892== ==12892== HEAP SUMMARY: ==12892== in use at exit: 3,066,152 bytes in 11,480 blocks ==12892== total heap usage: 11,846 allocs, 366 frees, 3,133,021 bytes allocated ==12892== ==12892== LEAK SUMMARY: ==12892== definitely lost: 0 bytes in 0 blocks ==12892== indirectly lost: 0 bytes in 0 blocks ==12892== possibly lost: 0 bytes in 0 blocks ==12892== still reachable: 3,066,152 bytes in 11,480 blocks ==12892== suppressed: 0 bytes in 0 blocks ==12892== Rerun with --leak-check=full to see details of leaked memory ==12892== ==12892== For counts of detected and suppressed errors, rerun with: -v ==12892== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Segmentation fault -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
