#27070 [Opn->Fbk]: preg_match() crashes Apache on VERY SIMPLE pattern but large subject size

Wed, 28 Jan 2004 06:05:59 -0800 

 ID:               27070
 Updated by:       [EMAIL PROTECTED]
 Reported By:      pages at inrp dot fr
-Status:           Open
+Status:           Feedback
 Bug Type:         Reproducible crash
 Operating System: Fedora Core 1 (Linux)
 PHP Version:      5.0.0b3 (beta3)
 New Comment:

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


Previous Comments:
------------------------------------------------------------------------

[2004-01-28 06:16:59] pages at inrp dot fr

Description:
------------
After running the script bellow, /var/log/httpd/error_log
says:

 [Wed Jan 28 00:19:30 2004] [notice] child pid 13744 exit signal
Segmentation fault (11)

It has been tested on 3 different system :
 - Red Hat 8.0 + Apache 2.0.40 + PHP 4.2.2
 - Red Hat 9 + Apache 2.0.40 + PHP 4.2.2
 - Fedora Core 1 + Apache 2.0.48 + 5.0.0b3

Some statistics :
  - with pattern "/(a)*/", it crashes with a subject
    length > 13800
  - with pattern "/((a))*/", it crashes with a subject
    length > 9200
  - with pattern "/(((a)))*/", it crashes with a subject
    length > 6900
  - with pattern "/((((a))))*/", it crashes with a subject
    length > 5600
  - with pattern "/(((((a)))))*/", it crashes with a
    subject length > 4600
  - with pattern "/((((((a))))))*/", it crashes with a
    subject length > 4000
  - etc...


Reproduce code:
---------------
<?php
# This script crashes Apache :

$subject = str_repeat("a",13800);
preg_match("/(a)*/",$subject);
echo "OK";

# NB: The length of $subject (here 13800) may depend on
# your system. It seems to be related to the memory_limit
# directive (mine is 8M) but not in the way that
# one would expect (it doesn't seem to be something
# like "If I give more memory, then I need a larger
# subject to crash Apache").
# It doesn't crash if I use the pattern "/a*/" instead
# of "/(a)*/".
?>


Expected result:
----------------
No crash

Actual result:
--------------
Crash :-(


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=27070&edit=1

Reply via email to