#26020 [Opn]: preg_replace causing segmentation fault

Tue, 28 Oct 2003 11:13:52 -0800 

 ID:               26020
 User updated by:  coldrain at workingonit dot org
 Reported By:      coldrain at workingonit dot org
 Status:           Open
 Bug Type:         PCRE related
 Operating System: Linux
 PHP Version:      Irrelevant
 New Comment:

Tested on a fresh install of php 4.3.3, compiled from source with no
special parameters, with exactly the same result.


Previous Comments:
------------------------------------------------------------------------

[2003-10-28 12:08:57] coldrain at workingonit dot org

Description:
------------
Variable $fileContent is a rather small html file. A function (see
below) converts some comment tags and writes the output to a different
file. On a RH 8 install, the maximum size of this html file is 9233
bytes. Add 1 or more characters to the html file, and the function
causes a segmentation fault. PHP version is 4.2.2 which comes standard
with RedHat.
Also tested on a Debian 3.1 install, where the max size of the source
html file proved to be 11690 bytes.

Reproduce code:
---------------
function revertComments($fileContent) {
  $pattern =
"/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU";
  $replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable
-->";
  $fileContent = preg_replace($pattern, $replace, $fileContent);
  return $fileContent;
}


Expected result:
----------------
The function should convert the input. 

Actual result:
--------------
The script I used was called jjj.php. The output is only part of the
strace. The size of the source html to be converted was 9234 bytes.

open("jjj.php", O_RDONLY)               = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes/jjj.php",
{st_mode=S_IFREG|0644, st_size=697, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697
_llseek(3, 0, [0], SEEK_SET)            = 0
brk(0)                                  = 0x824c000
brk(0x8250000)                          = 0x8250000
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate
ioctl for device)
brk(0)                                  = 0x8250000
brk(0x8251000)                          = 0x8251000
read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697
read(3, "", 4096)                       = 0
brk(0)                                  = 0x8251000
brk(0x8252000)                          = 0x8252000
read(3, "", 8192)                       = 0
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate
ioctl for device)
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) =
3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096
read(3, "to cause problems (at least that"..., 4096) = 4096
read(3, "y frustrated with the lack of pr"..., 4096) = 1043
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
brk(0)                                  = 0x8252000
brk(0x8254000)                          = 0x8254000
brk(0)                                  = 0x8254000
brk(0x8259000)                          = 0x8259000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

The same script with the same html source file but 1 character removed
has more or less the same output as above, but continues (see below)
instead of segfaulting:

open("/var/www/html/interselect-r30/testjes/geconverteerd.html",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192
write(3, "rustrated with the lack of progr"..., 1054) = 1054
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23
write(1, "\r\n", 2
)                     = 2
write(1, "Content-type: text/html", 23Content-type: text/html) = 23
write(1, "\r\n", 2
)                     = 2
write(1, "\r\n", 2
)                     = 2
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) =
0
munmap(0x408d6000, 40280)               = 0
munmap(0x408e9000, 171372)              = 0
munmap(0x40913000, 42104)               = 0
munmap(0x4091e000, 42532)               = 0
munmap(0x40792000, 797228)              = 0
munmap(0x40855000, 76604)               = 0
munmap(0x40868000, 384604)              = 0
munmap(0x408c6000, 64436)               = 0
munmap(0x40014000, 4552)                = 0
munmap(0x408e0000, 34836)               = 0
munmap(0x40929000, 221952)              = 0
munmap(0x40016000, 14392)               = 0
munmap(0x40969000, 509688)              = 0
_exit(0)                                = ?



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=26020&edit=1

Reply via email to