Bug #61213 [Nab]: PCRE - Stack Overflow due to unlimited recursions in preg_match() crashing php5

pajoye Wed, 29 Feb 2012 23:12:23 -0800

Edit report at https://bugs.php.net/bug.php?id=61213&edit=1


 ID:                 61213
 Updated by:         paj...@php.net
 Reported by:        mccool at gmx dot ch
 Summary:            PCRE - Stack Overflow due to unlimited recursions in
                     preg_match() crashing php5
 Status:             Not a bug
 Type:               Bug
 Package:            PCRE related
 Operating System:   win32 (vista x86)
 PHP Version:        5.3.10
 Block user comment: N
 Private report:     N

 New Comment:

Alternatively you can increase the stack on windows too by increasing the stack 
of 
Apache. See the other reports about this problem. Editbin or http config can 
help.


Previous Comments:
------------------------------------------------------------------------
[2012-03-01 00:41:48] fel...@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

It's known PCRE problem, not a PHP issue. Check out other PCRE related reports.

------------------------------------------------------------------------
[2012-02-29 20:59:56] mccool at gmx dot ch

Description:
------------
stack overflow in php5ts.dll

Unhandled exception at 0x60b7b0b3 (php5ts.dll) in httpd.exe: 0xC00000FD: Stack 
overflow.
module: php5ts.dll


affected php versions: 5.3.8/5.3.9/5.3.10 (win32)
src: ./ext/pcre/php_pcre.c:497
     ./ext/pcre/pcre_exec.c:649  (position on stack overflow, random since this 
is a stack overflow)


btw. yes i know i can set pcre.recursion_limit. this might fix the symptoms but 
not the problem. php crashes even with pcre.recursion_limit=650. for example 
other projects do not crash on maxed out recursions...

Regards,
Martin
-------------
Call Stack:
-----------

... php5ts.dll!match() repeatet until stack exhausted ....
        php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned 
char * ecode=0x02705ca0, const unsigned char * mstart=0x04d6e66f, const 
unsigned char * markptr=0x00000000, int offset_top=0x00000004, match_data * 
md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int 
flags=0x00000000, unsigned int rdepth=0x00000001)  Line 1515 + 0x2f bytes     C
        php5ts.dll!match(const unsigned char * eptr=0x04d6e66f, const unsigned 
char * ecode=0x02705c98, const unsigned char * mstart=0x04d6e66f, const 
unsigned char * markptr=0x00000000, int offset_top=0x00000002, match_data * 
md=0x0230f914, unsigned long ims=0x00000005, eptrblock * eptrb=0x00000000, int 
flags=0x00000000, unsigned int rdepth=0x00000000)  Line 834 + 0x40 bytes      C
        php5ts.dll!php_pcre_exec(const real_pcre * argument_re=0x02705c70, 
const pcre_extra * extra_data=0x0230fa5c, const char * subject=0x04d6e5f0, int 
length=0x00000467, int start_offset=0x00000000, int options=0x00000000, int * 
offsets=0x04d6eb10, int offsetcount=0x0000000c)  Line 6099 + 0x3f bytes C
        php5ts.dll!php_pcre_match_impl(pcre_cache_entry * pce=0x04f79918, char 
* subject=0x04d6e5f0, int subject_len=0x00000467, _zval_struct * 
return_value=0x04d6eaa0, _zval_struct * subpats=0x04d6ea80, int 
global=0x00000000, int use_flags=0x00000000, long flags=0x00000000, long 
start_offset=0x00000000, void * * * tsrm_ls=0x0278ca60)  Line 629      C
        php5ts.dll!php_do_pcre_match(int ht=0x00000003, _zval_struct * 
return_value=0x00000000, _zval_struct * * return_value_ptr=0x60b72db7, 
_zval_struct * this_ptr=0x60b72db7, int return_value_used=0x60b72db7, void * * 
* tsrm_ls=0x00000000, int global=0x00000000)  Line 520 + 0x2b bytes        C
        php5ts.dll!zif_preg_match(int ht=0x00000003, _zval_struct * 
return_value=0x04d6eaa0, _zval_struct * * return_value_ptr=0x00000000, 
_zval_struct * this_ptr=0x00000000, int return_value_used=0x00000001, void * * 
* tsrm_ls=0x0278ca60)  Line 771 + 0x17 bytes  C
        php5ts.dll!zend_do_fcall_common_helper_SPEC(_zend_execute_data * 
execute_data=0x04da0080, void * * * tsrm_ls=0x0278ca00)  Line 320 + 0x41 bytes C
        php5ts.dll!ZEND_DO_FCALL_SPEC_CONST_HANDLER(_zend_execute_data * 
execute_data=0x00000000, void * * * tsrm_ls=0x00000000)  Line 1640 + 0xe bytes C
        php5ts.dll!execute(_zend_op_array * op_array=0x04d6dca0, void * * * 
tsrm_ls=0x0278ca00)  Line 107 + 0xa bytes   C
        php5ts.dll!zend_execute_scripts(int type=0x00000008, void * * * 
tsrm_ls=0x0278ca60, _zval_struct * * retval=0x00000000, int 
file_count=0x00000003, ...)  Line 1237      C
        php5ts.dll!php_execute_script(_zend_file_handle * 
primary_file=0x0230fe44, void * * * tsrm_ls=0x0278ca60)  Line 2308 + 0x12 bytes 
      C
        php5apache2_2.dll!php_handler(request_rec * r=0x01f77130)  Line 669 + 
0xe bytes C
        libhttpd.dll!6ff02515()         
....


System infos (this is from php 5.3.8, same behavior in 5.3.10):
-------------

System  Windows NT xx6.0 build 6002 (Windows Vista Business Edition Service 
Pack 2) i586 

Architecture    x86
Configure Command       cscript /nologo configure.js "--enable-snapshot-build" 
"--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql" 
"--without-pdo-mssql" "--without-pi3web" 
"--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared" 
"--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared" 
"--with-oci8-11g=D:\php-sdk\oracle\instantclient11\sdk,shared" 
"--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" 
"--disable-static-analyze" 



Apache Version  Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 

pcre
PCRE (Perl Compatible Regular Expressions) Support      enabled
PCRE Library Version    8.12 2011-01-15 

Test script:
---------------
<?php
$data= 
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"praeparari"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApraeparariAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
 //+1A to crash => 10.494~
print_r (preg_match("/(\"praeparari\")(.)*(\.)/ixs",$data)); //crash
print_r (preg_match("/(.)*/ixs",$data));  //crash
?>

Expected result:
----------------
no crash. 

Actual result:
--------------
httpd worker crashes due to crash in php5ts



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61213&edit=1

Bug #61213 [Nab]: PCRE - Stack Overflow due to unlimited recursions in preg_match() crashing php5

Reply via email to