From: cobexer at gmail dot com
Operating system: Linux/openSuSE 11.1
PHP version: 5.2.9
PHP Bug Type: PCRE related
Bug description: Crash with preg_replace_callback
Description:
------------
when i tried to match nested patterns my apache2 with php crashed -
however for similar inputs a very similar regular expression is in use and
causes no problems... (but the crash seems to be related to the number of
nesting levels)
Reproduce code:
---------------
<?php
//long test string -> crash
$match=
"{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}";
//shorter test string -> still crash, but if 1 remove the first nested
{IF... it doesnt crash any more
$match=
"{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}";
$reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us';
$matches= array();
function cback($t) { global $matches; $matches[]= $t; return '';}
preg_replace_callback($reg, 'cback', $match);
var_dump($matches);
?>
Expected result:
----------------
array with the mathes of the regExp correctly nested... but i was in the
stage of designing the regular expression itself - at least i did not
expect a crash...
Actual result:
--------------
Apache/2.2.10 (php loaded as module) error_log:
without 3rd party extensions:
[notice] child pid 11335 exit signal Segmentation fault (11)
with XDebug enabled:
[error] [client 127.0.0.1] ALERT - possible memory corruption detected -
unknown Hashtable destructor (attacker '127.0.0.1', file '/path/file.php')
when running php from the command line (no crash -> no backtrace):
$ php reproduce.php #same content as the code posted above!
array(2) {
[0]=>
*RECURSION*
[1]=>
*RECURSION*
}
ALERT - possible memory corruption detected - unknown Hashtable destructor
(attacker 'REMOTE_ADDR not set', file 'unknown')
--
Edit bug report at http://bugs.php.net/?id=48501&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48501&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48501&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48501&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48501&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48501&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48501&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48501&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48501&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=48501&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=48501&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48501&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48501&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=48501&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=48501&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=48501&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=48501&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=48501&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=48501&r=mysqlcfg
