#39016 [Asn->Fbk]: Segfault in preg_replace_impl

nlopess Sun, 07 Oct 2007 03:39:08 -0700

 ID:               39016
 Updated by:       [EMAIL PROTECTED]
 Reported By:      jan at horde dot org
-Status:           Assigned
+Status:           Feedback
 Bug Type:         PCRE related
 Operating System: Linux
 PHP Version:      5.2.0RC4
 Assigned To:      andrei
 New Comment:


Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

your reproducing script isn't complete (I can't run it..)


Previous Comments:
------------------------------------------------------------------------

[2006-10-02 15:58:10] [EMAIL PROTECTED]

Andrei, please take a look at this.
Looks like yet another stack overflow in PCRE..

------------------------------------------------------------------------

[2006-10-02 15:51:41] jan at horde dot org

(gdb) p subject
$1 = (zval **) 0xb6f019e0
(gdb) p **subject
Cannot access memory at address 0x1
(gdb) p string_key
$2 = 0x10 <Address 0x10 out of bounds>
(gdb) p num_key
$3 = 1

------------------------------------------------------------------------

[2006-10-02 15:48:34] [EMAIL PROTECTED]

What do you get in GDB with
p subject
p **subject
p string_key
p num_key
?

------------------------------------------------------------------------

[2006-10-02 15:41:08] jan at horde dot org

I didn't try a snapshot since this happens with PHP 4, so I guess it's
an older issue that simply hasn't been triggered yet.

Here's the valgrind log:

==32185==  Address 0xBEDDDD32 is on thread 1's stack
==32185==
==32185== Invalid read of size 4
==32185==    at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185==    by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
==32185==
==32185== Process terminating with default action of signal 11
(SIGSEGV)
==32185==  Access not within mapped region at address 0x1
==32185==    at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185==    by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185==    by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185==    by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)

------------------------------------------------------------------------

[2006-10-02 15:36:50] jan at horde dot org

I should add the lines of code that caused this, right? :)


$regexp = <<<EOR
    /
    # Version 1: mailto: links with any valid email characters.
    # Pattern 1: Outlook parenthesizes in sqare brackets
    (\[\s*)?
    # Pattern 2: mailto: protocol prefix
    (mailto:\s?)
    # Pattern 3: email address
    ([^\s\?"<]*)
    # Pattern 4 to 6: Optional parameters
    ((\?)([^\s"<]*[\w+#?\/&=]))?
    # Pattern 7: Closing Outlook square bracket
    ((?(1)\s*\]))

    |
    # Version 2 Pattern 8: simple email addresses.
    ([EMAIL PROTECTED])
    # Pattern 9 to 11: Optional parameters
    ((\?)([^\s"<]*[\w+#?\/&=]))?

    /eix
EOR;

preg_replace($regexp,
             'Text_Filter_emails::callback(\'' . $tag . '\', \'' .
$class . '\', \'$1\', \'$2\', \'$3\', \'$4\', \'$6\', \'$7\', \'$8\',
\'$9\', \'$11\')',
             'a long list of email addresses etc.')

The regexp part that causes the problem, i.e. that no longer segfaults
if removed is the pattern #8.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/39016

-- 
Edit this bug report at http://bugs.php.net/?id=39016&edit=1

#39016 [Asn->Fbk]: Segfault in preg_replace_impl

Reply via email to