From:
Operating system: Debian Lenny (5.0.5)
PHP version: 5.2.13
Package: PCRE related
Bug Type: Bug
Bug description:crash in preg_replace_impl
Description:
------------
the crash occuring is most likely related to very high integer/double
values(>10M) being inserted in a long string(~20K).
the problem does not occur on PHP5.3.something so it might be a simple
backport :). unless somebody can tell me how i get more information out of
the crashing process this is all i have (trying to print local variables of
the crashing function results in:
(gdb) p **regex
Cannot access memory at address 0x686f72393438343e
os similar
the regular expression involved is most likely:
'/\{([A-Z0-9_]*)(?:\|(?P<escaper>[A-Z0-9_]+))?\}/'
executed by preg_replace_callback, where the callback is an
array('class_name', 'some_private_function')
if required i try to build a small test script and attach that - but i
guess its not required.
probably related to http://bugs.php.net/bug.php?id=39016
reproducible: always
Test script:
---------------
<?php
//no test script currently available
?>
Expected result:
----------------
no php crash correctly replaced string
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f877c078750 (LWP 6259)]
preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, is_callable_replace=0 '\0')
at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
warning: Source file is more recent than executable.
32 if (zvalue->type <= IS_BOOL) {
(gdb) bt
#0 preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0,
is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
#1 0x00007f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200
#2 0x00007f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#3 0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff5760) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#4 0x00007f8774cd8134 in execute (op_array=0xef48b0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#5 0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff5e70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#6 0x00007f8774cd8134 in execute (op_array=0xf03780) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#7 0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff6330) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#8 0x00007f8774cd8134 in execute (op_array=0xf02c90) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#9 0x00007f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff9ac0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234
#10 0x00007f8774cd8134 in execute (op_array=0xa2aa70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
#11 0x00007f8774cb41c8 in zend_execute_scripts (type=32767, retval=0x0,
file_count=-25624) at /usr/src/php5/source/php5-5.2.13/Zend/zend.c:1215
#12 0x00007f8774c6e0ea in php_execute_script (primary_file=Cannot access
memory at address 0x8000ffff8b50
) at /usr/src/php5/source/php5-5.2.13/main/main.c:2058
#13 0x00007f8774d2aa73 in php_handler (r=0x7f877423690a) at
/usr/src/php5/source/php5-5.2.13/sapi/apache2handler/sapi_apache2.c:643
#14 0x0000000000438f73 in ap_run_handler (r=0xecc9a8) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:159
#15 0x000000000043c53f in ap_invoke_handler (r=0xecc9a8) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:373
#16 0x000000000044970e in ap_process_request (r=0xecc9a8)
at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_request.c:258
#17 0x0000000000446838 in ap_process_http_connection (c=0xdfec88)
at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_core.c:190
#18 0x0000000000440493 in ap_run_process_connection (c=0xdfec88) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/connection.c:43
#19 0x000000000044dd10 in child_main (child_num_arg=<value optimized out>)
at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:680
#20 0x000000000044e064 in make_child (s=0x675968, slot=1)
at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:777
#21 0x000000000044e60c in ap_mpm_run (_pconf=<value optimized out>,
plog=<value optimized out>, s=0x675968)
at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:795
#22 0x0000000000425be5 in main (argc=3, argv=0x7fffffffc558) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/main.c:732
(gdb) bt full
#0 preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0,
is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32
regex = (zval **) 0xa155b0
replace = (zval **) 0xa155b8
subject = (zval **) 0xa155c0
limit = (zval **) 0x7f8774cd1a4d
subject_entry = (zval **) 0xa155c8
zcount = (zval **) 0x7f8774d1b868
result = 0x12a8a08 "�\220*\001"
result_len = 0
limit_val = -1
string_key = 0x10 <Address 0x10 out of bounds>
num_key = 19345208
callback_name = 0xef2b88 "pE9\001"
replace_count = 10573224
replace_count_ptr = (int *) 0x7fffffff4cd0
#1 0x00007f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fffffff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200
return_reference = 1 '\001'
opline = (zend_op *) 0x8
original_return_value = (zval **) 0x80a370
current_scope = (zend_class_entry *) 0xf04fe8
current_this = (zval *) 0x0
return_value_used = 0
should_change_scope = 41 ')'
#2 0x00007f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92
execute_data = Cannot access memory at address 0x8000ffff5410
(gdb)
--
Edit bug report at http://bugs.php.net/bug.php?id=52368&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=52368&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=52368&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=52368&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=52368&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=52368&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=52368&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=52368&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=52368&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=52368&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=52368&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=52368&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=52368&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=52368&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=52368&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52368&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=52368&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=52368&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=52368&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=52368&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=52368&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=52368&r=mysqlcfg
