ID: 39016
User updated by: jan at horde dot org
Reported By: jan at horde dot org
-Status: Feedback
+Status: Open
Bug Type: PCRE related
Operating System: Linux
PHP Version: 5.2.0RC4
Assigned To: andrei
New Comment:
The code is sufficient, because it segfaulted before it even was able
to call the callback. But I can't reproduce this anymore with 5.2.3.
Previous Comments:
------------------------------------------------------------------------
[2007-10-07 10:38:58] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
your reproducing script isn't complete (I can't run it..)
------------------------------------------------------------------------
[2006-10-02 15:58:10] [EMAIL PROTECTED]
Andrei, please take a look at this.
Looks like yet another stack overflow in PCRE..
------------------------------------------------------------------------
[2006-10-02 15:51:41] jan at horde dot org
(gdb) p subject
$1 = (zval **) 0xb6f019e0
(gdb) p **subject
Cannot access memory at address 0x1
(gdb) p string_key
$2 = 0x10 <Address 0x10 out of bounds>
(gdb) p num_key
$3 = 1
------------------------------------------------------------------------
[2006-10-02 15:48:34] [EMAIL PROTECTED]
What do you get in GDB with
p subject
p **subject
p string_key
p num_key
?
------------------------------------------------------------------------
[2006-10-02 15:41:08] jan at horde dot org
I didn't try a snapshot since this happens with PHP 4, so I guess it's
an older issue that simply hasn't been triggered yet.
Here's the valgrind log:
==32185== Address 0xBEDDDD32 is on thread 1's stack
==32185==
==32185== Invalid read of size 4
==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==32185==
==32185== Process terminating with default action of signal 11
(SIGSEGV)
==32185== Access not within mapped region at address 0x1
==32185== at 0x449FCA7: preg_replace_impl (php_pcre.c:1307)
==32185== by 0x4767B6B: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:200)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
==32185== by 0x475AFBC: execute (zend_vm_execute.h:92)
==32185== by 0x47675EA: zend_do_fcall_common_helper_SPEC
(zend_vm_execute.h:234)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/39016
--
Edit this bug report at http://bugs.php.net/?id=39016&edit=1
