[PHP-BUG] Bug #65009 [NEW]: preg_match segmentation fault with long strings

r dot hampartsumyan at gmail dot com Mon, 10 Jun 2013 12:19:32 -0700

From:             r dot hampartsumyan at gmail dot com
Operating system: Linux (Debian 6.0 and Mint 13)
PHP version:      5.4.16
Package:          PCRE related
Bug Type:         Bug
Bug description:preg_match segmentation fault with long strings


Description:
------------
When trying to match a longer string with the following regex, preg_match
causes a segmentation fault - $pattern =
"/^(?:%[[:xdigit:]]{2}|[A-Za-z0-9-_.!~*'()\[\];\/?:@&=+$,])*$/"; (this is
the regex used in zf1's Zend_Uri_Http for validating queries).
Tested with 5.3.26, 5.4.16 and 5.5rc3
The fault is reproducible in cli as well as in apache context, though the
length of the string needed may vary (for example, I managed to reproduce
it in apache context with shorter string by activating a perl module that
allocates more memmory /the more memmory used by the mod - the shorter the
string that caused the fault/) 







Test script:
---------------
$query = str_repeat("x", 20000);
        
$pattern =
"/^(?:%[[:xdigit:]]{2}|[A-Za-z0-9-_.!~*'()\[\];\/?:@&=+$,])*$/";

$status  = @preg_match($pattern, $query);

echo "success";

Expected result:
----------------
"success"

Actual result:
--------------
(gdb) bt
#0  0x080db48a in match (eptr=0xb774ebee 'x' <repeats 200 times>...,
ecode=<error reading variable: Cannot access memory at address 0xbf233f44>,

    mstart=<error reading variable: Cannot access memory at address
0xbf233f5c>, offset_top=2, md=<error reading variable: Cannot access memory
at address 0xbf233f58>, 
    eptrb=<error reading variable: Cannot access memory at address
0xbf233f54>, rdepth=11624) at
/home/rado/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:500
#1  0x080dc235 in match (eptr=0xb774ebee 'x' <repeats 200 times>...,
ecode=0x972c8dd "}", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11623)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:1069
#2  0x080de3f5 in match (eptr=0xb774ebee 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11622)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#3  0x080de3f5 in match (eptr=0xb774ebed 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11621)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#4  0x080de3f5 in match (eptr=0xb774ebec 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11620)
    at
/usr/local/phpsrcs/5.4.16/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#5  0x080de3f5 in match (eptr=0xb774ebeb 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11619)
    at
/usr/local/phpsrcs/5.4.16/phpsrcs/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#6  0x080de3f5 in match (eptr=0xb774ebea 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11618)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#7  0x080de3f5 in match (eptr=0xb774ebe9 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11617)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#8  0x080de3f5 in match (eptr=0xb774ebe8 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11616)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#9  0x080de3f5 in match (eptr=0xb774ebe7 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11615)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#10 0x080de3f5 in match (eptr=0xb774ebe6 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11614)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#11 0x080de3f5 in match (eptr=0xb774ebe5 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11613)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
#12 0x080de3f5 in match (eptr=0xb774ebe4 'x' <repeats 200 times>...,
ecode=0x972c92c "s", mstart=0xb774be88 'x' <repeats 200 times>...,
offset_top=2, md=0xbfa2f714, eptrb=0x0, rdepth=11612)
    at /usr/local/phpsrcs/5.4.16/php-src/ext/pcre/pcrelib/pcre_exec.c:2039
.................

-- 
Edit bug report at https://bugs.php.net/bug.php?id=65009&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=65009&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=65009&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=65009&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=65009&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=65009&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=65009&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=65009&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=65009&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=65009&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=65009&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=65009&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=65009&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=65009&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65009&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=65009&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=65009&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=65009&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65009&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=65009&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=65009&r=mysqlcfg

[PHP-BUG] Bug #65009 [NEW]: preg_match segmentation fault with long strings

Reply via email to