#26469 [Com]: Reproducible crash on regexp

brion at pobox dot com Sun, 30 Nov 2003 05:20:59 -0800

 ID:               26469
 Comment by:       brion at pobox dot com
 Reported By:      f23wop602 at sneakemail dot com
 Status:           Bogus
 Bug Type:         Reproducible crash
 Operating System: RH7 2.2.16-22
 PHP Version:      4.3.4
 New Comment:


The given script works for me without crashing on 4.3.2 (Linux/x86, Red
Hat 7.3 and Red Hat 9.0, and MacOS X 10.3.1). The original poster has
told me that it works for him in 4.3.4 beta and crashes only in 4.3.4
release.

Anyway, it's okay for the regexp to _fail_ if you're pushing the
limits, but returning an error code would be nicer that smashing the
stack and segfaulting. In web applications with possibly untrusted data
this can be a security risk, and that's PHP's primary use.

Might there be a way to get PCRE to handle such conditions gracefully?


Previous Comments:
------------------------------------------------------------------------

[2003-11-30 04:12:54] [EMAIL PROTECTED]

Not PHP bug. You just run into the documented PCRE limitations.. check
http://www.pcre.org/pcre.txt for topic "LIMITATIONS".




------------------------------------------------------------------------

[2003-11-29 20:13:24] f23wop602 at sneakemail dot com

Description:
------------
We had some crashes, and after some tracking we found a regexp which
crashes on specific data. The data is contained in the script in the
URL below, I cut it down as much as I could while still triggering the
crash.

Reproduce code:
---------------
http://test.wikipedia.org/crash-php4.3.4.txt

Most of it is just data, the crash occurs on the regexp on the data at
the end.

Actual result:
--------------
(gdb) bt
#0  0x808225c in match (
    eptr=0x81b4ec0 "kuterat: Enligt ''Miller'' (53) kommer en
Psi-liknande form (&Psi;) av kappa från Proto-Kanaaneiska. Kappa stod
troligtvis för /k/ såväl som /k_h/ i tidig grekisk ortografi och senare
återinfördes den"..., ecode=0x81b5e56 "8ÿÿÿÿ\177ÿÿÿÿÿÿï", 'ÿ' <repeats
20 times>, "=", offset_top=4, md=0xbfffca50, ims=0,
    eptrb=0xbf800198, flags=2) at
/tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:4986
#1  0x808236e in match (
    eptr=0x81b4ec0 "kuterat: Enligt ''Miller'' (53) kommer en
Psi-liknande form (&Psi;) av kappa från Proto-Kanaaneiska. Kappa stod
troligtvis för /k/ såväl som /k_h/ i tidig grekisk ortografi och senare
återinfördes den"..., ecode=0x81b5e53 "M", offset_top=4, md=0xbfffca50,
ims=0, eptrb=0xbf800198, flags=2)
    at /tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5059
#2  0x8082eb0 in match (
    eptr=0x81b4ec0 "kuterat: Enligt ''Miller'' (53) kommer en
Psi-liknande form (&Psi;) av kappa från Proto-Kanaaneiska. Kappa stod
troligtvis för /k/ såväl som /k_h/ i tidig grekisk ortografi och senare
återinfördes den"..., ecode=0x81b5e7e "?", offset_top=4, md=0xbfffca50,
ims=0, eptrb=0xbf800678, flags=2)
    at /tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5583

[snip]

#11143 0x808236e in match (
    eptr=0x81b38fd
">\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n\t<"..., ecode=0x81b5e53 "M", offset_top=4,
md=0xbfffca50, ims=0,
    eptrb=0xbfea1838, flags=2) at
/tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5059
#11144 0x8082eb0 in match (
    eptr=0x81b38fd
">\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n\t<"..., ecode=0x81b5e7e "?", offset_top=4,
md=0xbfffca50, ims=0,
    eptrb=0xbfea1d18, flags=2) at
/tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5583
#11145 0x808236e in match (
    eptr=0x81b38fc
"d>\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n\t"..., ecode=0x81b5e53 "M", offset_top=4,
md=0xbfffca50, ims=0,
    eptrb=0xbfea1d18, flags=2) at
/tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5059
#11146 0x8082eb0 in match (
    eptr=0x81b38fc
"d>\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n\t"..., ecode=0x81b5e7e "?", offset_top=4,
md=0xbfffca50, ims=0,
    eptrb=0xbfea21f8, flags=2) at
/tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5583
#11147 0x808236e in match (
    eptr=0x81b38fb
"td>\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n"..., ecode=0x81b5e53 "M", offset_top=4, md=0xbfffca50,
ims=0, eptrb=0xbfea21f8,
    flags=2) at /tmp/php-4.3.4/ext/pcre/pcrelib/pcre.c:5059
#11148 0x8082eb0 in match (
    eptr=0x81b38fb
"td>\r\n\t<td>[[Rho]]</td>\r\n\t<td>[rO:]</td>\r\n\t<td>[ro]</td>\r\n\t<td>&nbsp;</td>\r\n\t<td>[r]</td>\r\n\t<td>[r]</td>\r\n\t<td>100</td>\r\n\t<td>&#x5e8;
Resh</td>\r\n\t<td>&amp;rho;</td></tr>\r\n<tr><td>&Sigma;
&sigma;</td>\r\n"..., ecode=0x81b5e7e "?", offset_top=4, md=0xbfffca50,
ims=0, eptrb=0xbfea26d8,

And so on... You get the idea


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=26469&edit=1

#26469 [Com]: Reproducible crash on regexp

Reply via email to