ID: 26020
Updated by: [EMAIL PROTECTED]
Reported By: coldrain at workingonit dot org
-Status: Open
+Status: Feedback
Bug Type: PCRE related
Operating System: Linux
-PHP Version: Irrelevant
+PHP Version: 4.3.3
New Comment:
Please provide the configure line you used to configure PHP
and also a complete example. I actually think this is not really any
bug as is, but simply a limitation in PCRE library.
The maximum length of matched pattern. (iirc..:)
Previous Comments:
------------------------------------------------------------------------
[2003-10-28 13:08:27] coldrain at workingonit dot org
Tested on a fresh install of php 4.3.3, compiled from source with no
special parameters, with exactly the same result.
------------------------------------------------------------------------
[2003-10-28 12:08:57] coldrain at workingonit dot org
Description:
------------
Variable $fileContent is a rather small html file. A function (see
below) converts some comment tags and writes the output to a different
file. On a RH 8 install, the maximum size of this html file is 9233
bytes. Add 1 or more characters to the html file, and the function
causes a segmentation fault. PHP version is 4.2.2 which comes standard
with RedHat.
Also tested on a Debian 3.1 install, where the max size of the source
html file proved to be 11690 bytes.
Reproduce code:
---------------
function revertComments($fileContent) {
$pattern =
"/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU";
$replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable
-->";
$fileContent = preg_replace($pattern, $replace, $fileContent);
return $fileContent;
}
Expected result:
----------------
The function should convert the input.
Actual result:
--------------
The script I used was called jjj.php. The output is only part of the
strace. The size of the source html to be converted was 9234 bytes.
open("jjj.php", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes/jjj.php",
{st_mode=S_IFREG|0644, st_size=697, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697
_llseek(3, 0, [0], SEEK_SET) = 0
brk(0) = 0x824c000
brk(0x8250000) = 0x8250000
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate
ioctl for device)
brk(0) = 0x8250000
brk(0x8251000) = 0x8251000
read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697
read(3, "", 4096) = 0
brk(0) = 0x8251000
brk(0x8252000) = 0x8252000
read(3, "", 8192) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate
ioctl for device)
close(3) = 0
munmap(0x4001a000, 4096) = 0
open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) =
3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096
read(3, "to cause problems (at least that"..., 4096) = 4096
read(3, "y frustrated with the lack of pr"..., 4096) = 1043
read(3, "", 4096) = 0
close(3) = 0
munmap(0x4001a000, 4096) = 0
brk(0) = 0x8252000
brk(0x8254000) = 0x8254000
brk(0) = 0x8254000
brk(0x8259000) = 0x8259000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
The same script with the same html source file but 1 character removed
has more or less the same output as above, but continues (see below)
instead of segfaulting:
open("/var/www/html/interselect-r30/testjes/geconverteerd.html",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192
write(3, "rustrated with the lack of progr"..., 1054) = 1054
close(3) = 0
munmap(0x4001a000, 4096) = 0
write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23
write(1, "\r\n", 2
) = 2
write(1, "Content-type: text/html", 23Content-type: text/html) = 23
write(1, "\r\n", 2
) = 2
write(1, "\r\n", 2
) = 2
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) =
0
munmap(0x408d6000, 40280) = 0
munmap(0x408e9000, 171372) = 0
munmap(0x40913000, 42104) = 0
munmap(0x4091e000, 42532) = 0
munmap(0x40792000, 797228) = 0
munmap(0x40855000, 76604) = 0
munmap(0x40868000, 384604) = 0
munmap(0x408c6000, 64436) = 0
munmap(0x40014000, 4552) = 0
munmap(0x408e0000, 34836) = 0
munmap(0x40929000, 221952) = 0
munmap(0x40016000, 14392) = 0
munmap(0x40969000, 509688) = 0
_exit(0) = ?
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26020&edit=1
