Edit report at https://bugs.php.net/bug.php?id=26020&edit=1
ID: 26020 Comment by: ferenczy at volny dot cz Reported by: coldrain at workingonit dot org Summary: preg_replace causing segmentation fault Status: Bogus Type: Bug Package: PCRE related Operating System: Linux PHP Version: 4.3.3 Block user comment: N Private report: N New Comment: It's an Apache stack overflow issue. You probably need to increase Apache thread stack size, which is set on Windows to 1 MB only by default (8 MB on Linux). See this for more info: https://bugs.php.net/bug.php?id=47689 (last post from me, [2011-09-29 12:35 UTC]) Previous Comments: ------------------------------------------------------------------------ [2003-10-28 17:31:38] sni...@php.net Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely to be the same. Because of this, we hope you add your comments to the existing bug instead. Thank you for your interest in PHP. See bug #25754 (I get the same GDB backtraces with your example script and the one in that report) ------------------------------------------------------------------------ [2003-10-28 12:08:57] coldrain at workingonit dot org Description: ------------ Variable $fileContent is a rather small html file. A function (see below) converts some comment tags and writes the output to a different file. On a RH 8 install, the maximum size of this html file is 9233 bytes. Add 1 or more characters to the html file, and the function causes a segmentation fault. PHP version is 4.2.2 which comes standard with RedHat. Also tested on a Debian 3.1 install, where the max size of the source html file proved to be 11690 bytes. Reproduce code: --------------- function revertComments($fileContent) { $pattern = "/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU"; $replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable -->"; $fileContent = preg_replace($pattern, $replace, $fileContent); return $fileContent; } Expected result: ---------------- The function should convert the input. Actual result: -------------- The script I used was called jjj.php. The output is only part of the strace. The size of the source html to be converted was 9234 bytes. open("jjj.php", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38 lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757, st_size=4096, ...}) = 0 lstat64("/var/www/html/interselect-r30/testjes/jjj.php", {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697 _llseek(3, 0, [0], SEEK_SET) = 0 brk(0) = 0x824c000 brk(0x8250000) = 0x8250000 ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate ioctl for device) brk(0) = 0x8250000 brk(0x8251000) = 0x8251000 read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697 read(3, "", 4096) = 0 brk(0) = 0x8251000 brk(0x8252000) = 0x8252000 read(3, "", 8192) = 0 ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate ioctl for device) close(3) = 0 munmap(0x4001a000, 4096) = 0 open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096 read(3, "to cause problems (at least that"..., 4096) = 4096 read(3, "y frustrated with the lack of pr"..., 4096) = 1043 read(3, "", 4096) = 0 close(3) = 0 munmap(0x4001a000, 4096) = 0 brk(0) = 0x8252000 brk(0x8254000) = 0x8254000 brk(0) = 0x8254000 brk(0x8259000) = 0x8259000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ The same script with the same html source file but 1 character removed has more or less the same output as above, but continues (see below) instead of segfaulting: open("/var/www/html/interselect-r30/testjes/geconverteerd.html", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192 write(3, "rustrated with the lack of progr"..., 1054) = 1054 close(3) = 0 munmap(0x4001a000, 4096) = 0 write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23 write(1, "\r\n", 2 ) = 2 write(1, "Content-type: text/html", 23Content-type: text/html) = 23 write(1, "\r\n", 2 ) = 2 write(1, "\r\n", 2 ) = 2 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0 munmap(0x408d6000, 40280) = 0 munmap(0x408e9000, 171372) = 0 munmap(0x40913000, 42104) = 0 munmap(0x4091e000, 42532) = 0 munmap(0x40792000, 797228) = 0 munmap(0x40855000, 76604) = 0 munmap(0x40868000, 384604) = 0 munmap(0x408c6000, 64436) = 0 munmap(0x40014000, 4552) = 0 munmap(0x408e0000, 34836) = 0 munmap(0x40929000, 221952) = 0 munmap(0x40016000, 14392) = 0 munmap(0x40969000, 509688) = 0 _exit(0) = ? ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=26020&edit=1
