From: joe at emomentum dot co dot uk
Operating system: Debian Etch (Debian 4.0 Stable)
PHP version: 5.2.3
PHP Bug Type: Reproducible crash
Bug description: reproducable segfault in PCRE lib
Description:
------------
Couldn't see this anywhere else (similar but not close enough).
Located an apparent bug in the PCRE library, although this might be
relating to the way PHP calls the library (I'll post this to the PCRE list
as well).
Reproducable if slightly random crash occurs when using regex's with
certain hex strings on longish (and random) strings.
Weirdly, the length of the string directly relates to the chance of a
segfault, and the segfault only occurs with certain ranges of hex strings
(specifically, ONLY over x7A and ONLY with text strings of exactly 4843
bytes or longer).
Note that using the regex /^([\x00-\x7A])*$/ causes a segfault, whereas
/^([\x00-\x71])*$/ or /^([\x00-\x79])*$/ does not.
Running on Debian Etch 64bit (amd64) with latest stable PHP and
libpcre3_6.7-1_amd64 installed.
Regards,
Joe Harris
Senior Developer
eMomentum Limited
Reproduce code:
---------------
<?php
/* the length of the string determines the chance of a segfault. */
$strlen = 4846; /* almost total segfault, roughly 100% segfaults*/
//$strlen = 4845; /* almost always segfault, roughly 95% segfaults */
//$strlen = 4844; /* mostly segfault, roughly 80% segfaults */
//$strlen = 4843; /* regularly segfault, roughly 30% segfaults */
//$strlen = 4842; /* run without error, roughly 0% segfaults */
$alphabet = range('a', 'z'); /* range of lowercase letters */
$str = null; /* generate the random string */
for($i = 0; $i < $strlen; $i++) { $str .= $alphabet[rand(0,25)]; }
/* perform our regex of doom */
$result = preg_match('/^([\x00-\x7A])*$/', $str);
/* spam our (what should be) boolean result */
var_dump($result);
?>
Expected result:
----------------
int(0)
(false, never going to match a-z random string)
Actual result:
--------------
Segmentation fault (core dumped)
-----
when running in gdb:
This GDB was configured as "x86_64-linux-gnu"...(no debugging symbols
found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run test.php
Starting program: /usr/bin/php test.php
(no debugging symbols found)
[snip - lots of these]
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 47782002024432 (LWP 11134)]
(no debugging symbols found)
[snip - lots of these]
(no debugging symbols found)
testing a string of 4846 bytes in length
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47782002024432 (LWP 11134)]
0x00002b751be871a8 in pcre_dfa_exec () from /usr/lib/libpcre.so.3
--
Edit bug report at http://bugs.php.net/?id=41749&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=41749&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=41749&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=41749&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=41749&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=41749&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=41749&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=41749&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=41749&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=41749&r=support
Expected behavior: http://bugs.php.net/fix.php?id=41749&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=41749&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=41749&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=41749&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41749&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=41749&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=41749&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=41749&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=41749&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=41749&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=41749&r=mysqlcfg
