From:
Operating system: win32 (vista x86)
PHP version: 5.3.10
Package: PCRE related
Bug Type: Bug
Bug description:PCRE - Stack Overflow due to unlimited recursions in
preg_match() crashing php5
Description:
------------
stack overflow in php5ts.dll
Unhandled exception at 0x60b7b0b3 (php5ts.dll) in httpd.exe: 0xC00000FD:
Stack overflow.
module: php5ts.dll
affected php versions: 5.3.8/5.3.9/5.3.10 (win32)
src: ./ext/pcre/php_pcre.c:497
./ext/pcre/pcre_exec.c:649 (position on stack overflow, random since
this is a stack overflow)
btw. yes i know i can set pcre.recursion_limit. this might fix the symptoms
but not the problem. php crashes even with pcre.recursion_limit=650. for
example other projects do not crash on maxed out recursions...
Regards,
Martin
-------------
Call Stack:
-----------
... php5ts.dll!match() repeatet until stack exhausted ....
php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned
char * ecode=0x02705ca0, const unsigned char * mstart=0x04d6e66f, const
unsigned char * markptr=0x00000000, int offset_top=0x00000004, match_data *
md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000,
int flags=0x00000000, unsigned int rdepth=0x00000001) Line 1515 + 0x2f
bytes C
php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned
char * ecode=0x02705c98, const unsigned char * mstart=0x04d6e66f, const
unsigned char * markptr=0x00000000, int offset_top=0x00000002, match_data *
md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000,
int flags=0x00000000, unsigned int rdepth=0x00000000) Line 834 + 0x40
bytes C
php5ts.dll!php_pcre_exec(const real_pcre * argument_re=0x02705c70, const
pcre_extra * extra_data=0x0230fa5c, const char * subject=0x04d6e5f0, int
length=0x00000467, int start_offset=0x00000000, int options=0x00000000, int
* offsets=0x04d6eb10, int offsetcount=0x0000000c) Line 6099 + 0x3f
bytes C
php5ts.dll!php_pcre_match_impl(pcre_cache_entry * pce=0x04f79918, char *
subject=0x04d6e5f0, int subject_len=0x00000467, _zval_struct *
return_value=0x04d6eaa0, _zval_struct * subpats=0x04d6ea80, int
global=0x00000000, int use_flags=0x00000000, long flags=0x00000000, long
start_offset=0x00000000, void * * * tsrm_ls=0x0278ca60) Line 629 C
php5ts.dll!php_do_pcre_match(int ht=0x00000003, _zval_struct *
return_value=0x00000000, _zval_struct * * return_value_ptr=0x60b72db7,
_zval_struct * this_ptr=0x60b72db7, int return_value_used=0x60b72db7, void
* * * tsrm_ls=0x00000000, int global=0x00000000) Line 520 + 0x2b bytes C
php5ts.dll!zif_preg_match(int ht=0x00000003, _zval_struct *
return_value=0x04d6eaa0, _zval_struct * * return_value_ptr=0x00000000,
_zval_struct * this_ptr=0x00000000, int return_value_used=0x00000001, void
* * * tsrm_ls=0x0278ca60) Line 771 + 0x17 bytes C
php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data *
execute_data=0x04da0080, void * * * tsrm_ls=0x0278ca00) Line 320 + 0x41
bytes C
php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data *
execute_data=0x00000000, void * * * tsrm_ls=0x00000000) Line 1640 + 0xe
bytes C
php5ts.dll!execute(_zend_op_array * op_array=0x04d6dca0, void * * *
tsrm_ls=0x0278ca00) Line 107 + 0xa bytes C
php5ts.dll!zend_execute_scripts(int type=0x00000008, void * * *
tsrm_ls=0x0278ca60, _zval_struct * * retval=0x00000000, int
file_count=0x00000003, ...) Line 1237 C
php5ts.dll!php_execute_script(_zend_file_handle *
primary_file=0x0230fe44, void * * * tsrm_ls=0x0278ca60) Line 2308 + 0x12
bytes C
php5apache2_2.dll!php_handler(request_rec * r=0x01f77130) Line 669 +
0xe
bytes C
libhttpd.dll!6ff02515()
....
System infos (this is from php 5.3.8, same behavior in 5.3.10):
-------------
System Windows NT xx6.0 build 6002 (Windows Vista Business Edition Service
Pack 2) i586
Architecture x86
Configure Command cscript /nologo configure.js "--enable-snapshot-build"
"--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql"
"--without-pdo-mssql" "--without-pi3web"
"--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared"
"--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared"
"--with-oci8-11g=D:\php-sdk\oracle\instantclient11\sdk,shared"
"--enable-object-out-dir=../obj/" "--enable-com-dotnet"
"--with-mcrypt=static" "--disable-static-analyze"
Apache Version Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e
PHP/5.3.8
pcre
PCRE (Perl Compatible Regular Expressions) Support enabled
PCRE Library Version 8.12 2011-01-15
Test script:
---------------
<?php
$data=
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"praeparari"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApraeparariAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
//+1A to crash => 10.494~
print_r (preg_match("/(\"praeparari\")(.)*(\.)/ixs",$data)); //crash
print_r (preg_match("/(.)*/ixs",$data)); //crash
?>
Expected result:
----------------
no crash.
Actual result:
--------------
httpd worker crashes due to crash in php5ts
--
Edit bug report at https://bugs.php.net/bug.php?id=61213&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=61213&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=61213&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=61213&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=61213&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=61213&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=61213&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=61213&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=61213&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=61213&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=61213&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=61213&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=61213&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=61213&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=61213&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=61213&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=61213&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=61213&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=61213&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=61213&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=61213&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=61213&r=mysqlcfg
