From: [EMAIL PROTECTED]
Operating system: RedHat 8.0
PHP version: 5CVS-2003-01-18 (dev)
PHP Bug Type: PCRE related
Bug description: preg_replace() segfaults with invalid parameters
While handling the feature request (bug #7006), I found another bug.
<?php
$tvPrograms = array( 'Simpsons', 'Southpark', 'Disney Time' );
$data = str_repeat('%col%', 100);
$htmlDoc = preg_replace('/%col%/', $tvPrograms, $data );
print $htmlDoc;
?>
I know the above script is incorrect as the manual goes:
> If pattern is an array and replacement is a string, then
> this replacement string is used for every value of
> pattern. The converse would not make sense, though.
But I didn't expect it would segfault...
[backtrace]
#0 0x0806bd04 in php_pcre_replace (regex=0x400a6d64 "/%col%/",
regex_len=7,
subject=0x400a7038
"%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...,
subject_len=500, replace_val=0x400a6de4, is_callable_replace=0,
result_len=0xbfffd334, limit=-1)
at /home/koizumi/src/php5/ext/pcre/php_pcre.c:833
re = (struct real_pcre *) 0x81bb678
extra = (struct real_pcre_extra *) 0x0
exoptions = 0
preg_options = 0
count = 1
offsets = (int *) 0x400a7264
size_offsets = 3
new_len = 2122001
alloc_len = 1001
eval_result_len = 0
match_len = 404
backref = 3
eval = 0
start_offset = 0
g_notempty = 0
replace_len = 134564634
result = 0x400a79fc 'Z' <repeats 28 times>,
"\204?\217*ZZZZ?%\003"
replace = 0x400a6e28 "\b"
new_buf = 0x22c <Address 0x22c out of bounds>
walkbuf = 0x400a7008 ",\002"
walk = 0x402ad000 <Address 0x402ad000 out of bounds>
match = 0x400a7038
"%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...
piece = 0x400a7038
"%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%%col%"...
replace_end = 0x480fb942 <Address 0x480fb942 out of bounds>
eval_result = 0x400a7234 "D"
walk_last = 0 '\0'
#1 0x0806c518 in php_replace_in_subject (regex=0x400a6a8c,
replace=0x400a6de4, subject=0x4009abc0, result_len=0xbfffd334,
limit=-1,
is_callable_replace=0 '\0')
at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1013
regex_entry = (struct _zval_struct **) 0x400a6ff4
replace_entry = (struct _zval_struct **) 0x0
replace_value = (struct _zval_struct *) 0x817dbe0
empty_replace = {value = {lval = 135781248,
dval = 6.7084849986250466e-316, str = {val = 0x817db80 "", len = 0},
ht = 0x817db80, obj = {handle = 135781248, handlers = 0x0}},
refcount = 135594816, type = 3 '\003', is_ref = 4 '\004'}
subject_value = 0x8131450 "\203? \211\003N"
result = 0xbfffd2f8 "\t@4???????"
subject_len = 1074425912
#2 0x0806cb57 in preg_replace_impl (ht=3, return_value=0x400a6da0,
this_ptr=0x0, return_value_used=1, is_callable_replace=0 '\0')
at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1100
regex = (struct _zval_struct **) 0x4009abb8
replace = (struct _zval_struct **) 0x4009abbc
subject = (struct _zval_struct **) 0x4009abc0
limit = (struct _zval_struct **) 0x0
subject_entry = (struct _zval_struct **) 0x400a6d70
result = 0x8191400 ""
result_len = 0
limit_val = -1
string_key = 0x44 <Address 0x44 out of bounds>
num_key = 3221214040
callback_name = 0x0
#3 0x0806cba8 in zif_preg_replace (ht=3, return_value=0x400a6da0,
this_ptr=0x0, return_value_used=1)
at /home/koizumi/src/php5/ext/pcre/php_pcre.c:1111
No locals.
#4 0x08147cef in zend_do_fcall_common_helper (execute_data=0xbfffd5e0,
op_array=0x400a5de4) at
/home/koizumi/src/php5/Zend/zend_execute.c:2566
original_return_value = (struct _zval_struct **) 0x12e
current_scope = (struct _zend_class_entry *) 0x0
current_this = (struct _zval_struct *) 0x0
return_value_used = 1
#5 0x0814828b in zend_do_fcall_handler (execute_data=0xbfffd5e0,
op_array=0x400a5de4) at
/home/koizumi/src/php5/Zend/zend_execute.c:2692
fname = (struct _zval_struct *) 0x400a64a8
#6 0x0814376a in execute (op_array=0x400a5de4)
at /home/koizumi/src/php5/Zend/zend_execute.c:1218
execute_data = {opline = 0x400a6484, function_state = {
function_symbol_table = 0x0, function = 0x81bac28, reserved = {0x0,
0x0,
0xbffff920, 0x0}}, fbc = 0x0, fbc_constructor = 0x0,
op_array = 0x400a5de4, object = 0x0, Ts = 0xbfffd400,
original_in_execution = 0 '\0', calling_scope = 0x0,
prev_execute_data = 0x0}
...
#7 0x08132ede in zend_execute_scripts (type=8, retval=0x0, file_count=3)
at /home/koizumi/src/php5/Zend/zend.c:996
#8 0x08101892 in php_execute_script (primary_file=0xbffff920)
at /home/koizumi/src/php5/main/main.c:1691
#9 0x0814e39b in main (argc=2, argv=0xbffff9b4)
at /home/koizumi/src/php5/sapi/cli/php_cli.c:753
#10 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
--
Edit bug report at http://bugs.php.net/?id=21732&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=21732&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=21732&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=21732&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=21732&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=21732&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=21732&r=support
Expected behavior: http://bugs.php.net/fix.php?id=21732&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=21732&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=21732&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=21732&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21732&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=21732&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=21732&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=21732&r=gnused
