[pcre-dev] [Bug 2035] New: Segmentation fault in PHP7.1.1(bundled PCRE8.38)

Mon, 13 Feb 2017 00:22:33 -0800 

https://bugs.exim.org/show_bug.cgi?id=2035

            Bug ID: 2035
           Summary: Segmentation fault in PHP7.1.1(bundled PCRE8.38)
           Product: PCRE
           Version: 8.38
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: p...@hermes.cam.ac.uk
          Reporter: idaif...@gmail.com
                CC: pcre-dev@exim.org

Segmentation fault in php_src/ext/pcre/pcrelib/pcre_jit_compile.c:7336.

$ php -r "echo PCRE_VERSION;"
8.38 2015-11-23
$ php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies


Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";
preg_match($pattern, "helloworld");
?>


Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc
0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
   #0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
   #1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
   #3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
   #4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
   #5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
   #6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
   #7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
   #8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
   #9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
   #10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(/tmp/php+0x1a52c81)
   #11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
   #12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
   #13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
   #14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
   #15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
   #16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
   #17 0x7f98bd6d082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
   #18 0x43a768 in _start (/tmp/php+0x43a768)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in
compile_bracket_matchingpath


GDB backtrace:
#0  0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8,
cc=0x1f04d4f "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1  0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8,
cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2  0x0000000000609e7c in compile_recurse (common=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3  _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4  0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1,
errorptr=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5  0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120)
at ext/pcre/php_pcre.c:518
#6  0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized
out>, subject_len=<optimized out>, replace_val=<optimized out>,
is_callable_replace=<optimized out>, limit=<optimized out>,
replace_count=<optimized out>, subject_str=<optimized out>) at
ext/pcre/php_pcre.c:1132
#7  php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240,
subject=<optimized out>, limit=-1, is_callable_replace=0,
replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8  0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78,
regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250,
limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at
ext/pcre/php_pcre.c:1554
#9  0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0,
return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at
Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000,
return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>,
retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at
main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>)
at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at
sapi/cli/php_cli.c:1381

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev

Reply via email to