From:
Operating system: Solaris 10
PHP version: 5.3.6
Package: PCRE related
Bug Type: Bug
Bug description:preg_match causes segfault with specific subject
Description:
------------
A customer page (system made in Drupal) was causing segfaults. After much
debugging, I found this line to cause it :
$contents = preg_replace('<
\s*([@{}:;,]|\)\s|\s\()\s* | # Remove whitespace around
separators, but keep space around parentheses.
/\*([^*\\\\]|\*(?!/))+\*/ | # Remove comments that are not CSS
hacks.
[\n\r] # Remove line breaks.
>x', '\1', $contents);
The $contents was a CSS file. After experimenting, it turns out that
opening a comment string (/*) followed by 1815 characters segfaults
Apache.
The same script runs perfectly fine when run from CLI, but segfaults on
Apache 2.2. It also runs well on several Linux environments tested.
Test script:
---------------
PHP-file :
<?php
$contents = file_get_contents('temp.css');
$contents = preg_replace('<
\s*([@{}:;,]|\)\s|\s\()\s* | # Remove whitespace around
separators, but keep space around parentheses.
/\*([^*\\\\]|\*(?!/))+\*/ | # Remove comments that are not CSS
hacks.
[\n\r] # Remove line breaks.
>x', '\1', $contents);
echo $contents;
CSS-file :
/*
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
Expected result:
----------------
string(1797)
"/*123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567
8901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345"
Actual result:
--------------
In Apache error log :
[notice] child pid 16531 exit signal Segmentation fault (11)
Backtrace is very hard to provide at this point, due to unavailability of a
64bit gdb on Solaris 10.
Will try to add.
--
Edit bug report at http://bugs.php.net/bug.php?id=54926&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=54926&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=54926&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=54926&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=54926&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=54926&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=54926&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=54926&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=54926&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=54926&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=54926&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=54926&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=54926&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=54926&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=54926&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54926&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=54926&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=54926&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=54926&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=54926&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=54926&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=54926&r=mysqlcfg
