#43301 [Opn->Csd]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression

jani Fri, 16 Nov 2007 13:08:07 -0800

 ID:               43301
 Updated by:       [EMAIL PROTECTED]
 Reported By:      yoy dot noneoff at dfgh dot net
-Status:           Open
+Status:           Closed
 Bug Type:         mbstring related
 Operating System: win xp sp2
 PHP Version:      5.3CVS-2007-11-15 (CVS)
 New Comment:


Those are expected and unfortunate side-effects and happen also if you
do same using pcre.


Previous Comments:
------------------------------------------------------------------------

[2007-11-16 19:14:29] yoy dot noneoff at dfgh dot net

the crash issue is  indeed gone but two new problems appear

I download the latest package, and I notice that now there is  2 errors
raised

PHP Parse error 
and 
PHP Fatal  error

prob 1: the rest of script execution stop

I also think the PHP Fatal error is NOT required , in addition  its a
security risk.

for example

mb_ereg_replace('ptr','<script>alert(\'are you sure\')</script>','text
with ptr','e')


return:

PHP Parse error:  syntax error, unexpected '<' in test.php: mbregex
replace on line 1

PHP Fatal error:  mb_ereg_replace(): Failed evaluating code: 
<script>alert('are you sure')</script> in test.php on line 3

------------------------------------------------------------------------

[2007-11-16 12:29:42] [EMAIL PROTECTED]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.



------------------------------------------------------------------------

[2007-11-16 11:55:15] [EMAIL PROTECTED]

Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE
or '$' in /home/jani/t.php(8) : mbregex replace on line 1

Program received signal SIGSEGV, Segmentation fault.
0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
"/home/jani/src/php-5.3/Zend/zend_variables.h", __zend_lineno=35)
    at /home/jani/src/php-5.3/Zend/zend_variables.c:35
35                              CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt
#0  0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
"/home/jani/src/php-5.3/Zend/zend_variables.h", __zend_lineno=35)
    at /home/jani/src/php-5.3/Zend/zend_variables.c:35
#1  0x082ee134 in _zval_dtor (zvalue=0xbfe4782c,
__zend_filename=0x85d6198
"/home/jani/src/php-5.3/Zend/zend_operators.c", __zend_lineno=599)
    at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#2  0x082eed13 in _convert_to_string (op=0xbfe4782c,
__zend_filename=0x85858cc
"/home/jani/src/php-5.3/ext/mbstring/php_mbregex.c", __zend_lineno=742)
    at /home/jani/src/php-5.3/Zend/zend_operators.c:599
#3  0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4,
return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, options=0)
    at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742
#4  0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788
#5  0x0831ea96 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:194
#6  0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439
#7  0x0831e59a in execute (op_array=0x8ae2e7c) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:87
#8  0x082f76c6 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139
#9  0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at
/home/jani/src/php-5.3/main/main.c:2007
#10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at
/home/jani/src/php-5.3/sapi/cli/php_cli.c:1140


------------------------------------------------------------------------

[2007-11-16 04:18:39] yoy dot noneoff at dfgh dot net

Function     Arg 1     Arg 2     Arg 3   Source 
php_mbstring!_php_mb_regex_ereg_replace_exec+5e5     00000004    
0112c838     00000000    
php_mbstring!zif_mb_ereg_replace+25     00000004     0112c838    
00000000    
php5ts!zend_do_fcall_common_helper_SPEC+85b     00c0fbf0     00033f50  
  0112c28b    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f     00000000     00033f50  
  00033f50    
php5ts!execute+1b7     0112c298     00033f50     00000000    
php5ts!zend_execute_scripts+107     00000008     00033f50     00000000 
  
php5ts!php_execute_script+20d     00c0fec8     00033f50     ed13662e   

php!main+c0e     00000002     00032cc0     00032f38    
php!mainCRTStartup+e3     ed13662e     01c827f6     7ffd4000    
kernel32!RegisterWaitForInputIdle+49     00402c12     00000000    
00000000

------------------------------------------------------------------------

[2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net

correct Reproduce code:
---------------
<?php
$ptr = 'hello';

$txt = <<<doc
hello, I have got a cr*sh on you
doc;

echo mb_ereg_replace($ptr,'$1',$txt,'e');
?>

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/43301

-- 
Edit this bug report at http://bugs.php.net/?id=43301&edit=1

#43301 [Opn->Csd]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression

Reply via email to