#48501 [NEW]: Crash with preg_replace_callback

2009-06-08 Thread cobexer at gmail dot com
From: cobexer at gmail dot com
Operating system: Linux/openSuSE 11.1
PHP version:  5.2.9
PHP Bug Type: PCRE related
Bug description:  Crash with preg_replace_callback

Description:

when i tried to match nested patterns my apache2 with php crashed -
however for similar inputs a very similar regular expression is in use and
causes no problems... (but the crash seems to be related to the number of
nesting levels)

Reproduce code:
---
 crash
$match=
"{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}";
//shorter test string -> still crash, but if 1 remove the first nested
{IF... it doesnt crash any more
$match=
"{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}";
$reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us';
$matches= array();
function cback($t) { global $matches; $matches[]= $t; return '';}
preg_replace_callback($reg, 'cback', $match);
var_dump($matches);
?>

Expected result:

array with the mathes of the regExp correctly nested... but i was in the
stage of designing the regular expression itself - at least i did not
expect a crash...

Actual result:
--
Apache/2.2.10 (php loaded as module) error_log:
without 3rd party extensions:
[notice] child pid 11335 exit signal Segmentation fault (11)
with XDebug enabled:
[error] [client 127.0.0.1] ALERT - possible memory corruption detected -
unknown Hashtable destructor (attacker '127.0.0.1', file '/path/file.php')
when running php from the command line (no crash -> no backtrace):
$ php reproduce.php #same content as the code posted above!
array(2) {
  [0]=>
  *RECURSION*
  [1]=>
  *RECURSION*
}
ALERT - possible memory corruption detected - unknown Hashtable destructor
(attacker 'REMOTE_ADDR not set', file 'unknown')


-- 
Edit bug report at http://bugs.php.net/?id=48501&edit=1
-- 
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48501&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48501&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=48501&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48501&r=alreadyfixed
Need backtrace:  
http://bugs.php.net/fix.php?id=48501&r=needtrace
Need Reproduce Script:   
http://bugs.php.net/fix.php?id=48501&r=needscript
Try newer version:   
http://bugs.php.net/fix.php?id=48501&r=oldversion
Not developer issue: 
http://bugs.php.net/fix.php?id=48501&r=support
Expected behavior:   
http://bugs.php.net/fix.php?id=48501&r=notwrong
Not enough info: 
http://bugs.php.net/fix.php?id=48501&r=notenoughinfo
Submitted twice: 
http://bugs.php.net/fix.php?id=48501&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48501&r=globals
PHP 4 support discontinued:  http://bugs.php.net/fix.php?id=48501&r=php4
Daylight Savings:http://bugs.php.net/fix.php?id=48501&r=dst
IIS Stability:   
http://bugs.php.net/fix.php?id=48501&r=isapi
Install GNU Sed: 
http://bugs.php.net/fix.php?id=48501&r=gnused
Floating point limitations:  
http://bugs.php.net/fix.php?id=48501&r=float
No Zend Extensions:  
http://bugs.php.net/fix.php?id=48501&r=nozend
MySQL Configuration Error:   
http://bugs.php.net/fix.php?id=48501&r=mysqlcfg



#48501 [Opn]: Crash with preg_replace_callback

2009-06-08 Thread cobexer at gmail dot com
 ID:   48501
 User updated by:  cobexer at gmail dot com
 Reported By:  cobexer at gmail dot com
 Status:   Open
 Bug Type: PCRE related
 Operating System: Linux/openSuSE 11.1
 PHP Version:  5.2.9
 New Comment:

after submitting I found a similar bug ... #44214
but that one is closed and seems to be "fixed" since one year now...


Previous Comments:


[2009-06-08 21:33:44] cobexer at gmail dot com

Description:

when i tried to match nested patterns my apache2 with php crashed -
however for similar inputs a very similar regular expression is in use
and causes no problems... (but the crash seems to be related to the
number of nesting levels)

Reproduce code:
---
 crash
$match=
"{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}";
//shorter test string -> still crash, but if 1 remove the first nested
{IF... it doesnt crash any more
$match=
"{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}";
$reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us';
$matches= array();
function cback($t) { global $matches; $matches[]= $t; return '';}
preg_replace_callback($reg, 'cback', $match);
var_dump($matches);
?>

Expected result:

array with the mathes of the regExp correctly nested... but i was in
the stage of designing the regular expression itself - at least i did
not expect a crash...

Actual result:
--
Apache/2.2.10 (php loaded as module) error_log:
without 3rd party extensions:
[notice] child pid 11335 exit signal Segmentation fault (11)
with XDebug enabled:
[error] [client 127.0.0.1] ALERT - possible memory corruption detected
- unknown Hashtable destructor (attacker '127.0.0.1', file
'/path/file.php')
when running php from the command line (no crash -> no backtrace):
$ php reproduce.php #same content as the code posted above!
array(2) {
  [0]=>
  *RECURSION*
  [1]=>
  *RECURSION*
}
ALERT - possible memory corruption detected - unknown Hashtable
destructor (attacker 'REMOTE_ADDR not set', file 'unknown')






-- 
Edit this bug report at http://bugs.php.net/?id=48501&edit=1



[PHP-BUG] Bug #52368 [NEW]: crash in preg_replace_impl

2010-07-17 Thread cobexer at gmail dot com
From: 
Operating system: Debian Lenny (5.0.5)
PHP version:  5.2.13
Package:  PCRE related
Bug Type: Bug
Bug description:crash in preg_replace_impl

Description:

the crash occuring is most likely related to very high integer/double
values(>10M) being inserted in a long string(~20K).

the problem does not occur on PHP5.3.something so it might be a simple
backport :). unless somebody can tell me how i get more information out of
the crashing process this is all i have (trying to print local variables of
the crashing function results in:



(gdb) p **regex

Cannot access memory at address 0x686f72393438343e

os similar



the regular expression involved is most likely:

'/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/'

executed by preg_replace_callback, where the callback is an
array('class_name', 'some_private_function')



if required i try to build a small test script and attach that - but i
guess its not required.





probably related to http://bugs.php.net/bug.php?id=39016



reproducible: always



Test script:
---


Expected result:

no php crash correctly replaced string

Actual result:
--
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f877c078750 (LWP 6259)]

preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, is_callable_replace=0 '\0')

at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

warning: Source file is more recent than executable.

32  if (zvalue->type <= IS_BOOL) {

(gdb) bt

#0  preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, 

is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

#1  0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200

#2  0x7f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#3  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5760) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#4  0x7f8774cd8134 in execute (op_array=0xef48b0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#5  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5e70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#6  0x7f8774cd8134 in execute (op_array=0xf03780) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#7  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff6330) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#8  0x7f8774cd8134 in execute (op_array=0xf02c90) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#9  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff9ac0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#10 0x7f8774cd8134 in execute (op_array=0xa2aa70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#11 0x7f8774cb41c8 in zend_execute_scripts (type=32767, retval=0x0,
file_count=-25624) at /usr/src/php5/source/php5-5.2.13/Zend/zend.c:1215

#12 0x7f8774c6e0ea in php_execute_script (primary_file=Cannot access
memory at address 0x80008b50

) at /usr/src/php5/source/php5-5.2.13/main/main.c:2058

#13 0x7f8774d2aa73 in php_handler (r=0x7f877423690a) at
/usr/src/php5/source/php5-5.2.13/sapi/apache2handler/sapi_apache2.c:643

#14 0x00438f73 in ap_run_handler (r=0xecc9a8) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:159

#15 0x0043c53f in ap_invoke_handler (r=0xecc9a8) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/config.c:373

#16 0x0044970e in ap_process_request (r=0xecc9a8)

at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_request.c:258

#17 0x00446838 in ap_process_http_connection (c=0xdfec88)

at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/modules/http/http_core.c:190

#18 0x00440493 in ap_run_process_connection (c=0xdfec88) at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/connection.c:43

#19 0x0044dd10 in child_main (child_num_arg=)

at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:680

#20 0x0044e064 in make_child (s=0x675968, slot=1)

at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:777

#21 0x0044e60c in ap_mpm_run (_pconf=,
plog=, s=0x675968)

at
/build/buildd-apache2_2.2.9-10+lenny8-amd64-OpzZ7v/apache2-2.2.9/server/mpm/prefork/prefork.c:795

#22 0x00425be5 in main (argc=3, argv=0x7fffc558) at
/build/build

Bug #52368 [Com]: crash in preg_replace_impl

2010-07-30 Thread cobexer at gmail dot com
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1

 ID: 52368
 Comment by: cobexer at gmail dot com
 Reported by:cobexer at gmail dot com
 Summary:crash in preg_replace_impl
 Status: Feedback
 Type:   Bug
 Package:PCRE related
 Operating System:   Debian Lenny (5.0.5)
 PHP Version:5.2.13
 Block user comment: N

 New Comment:

hmm that crash is hard to nail down,

it doesn't crash on all of my computers, therefore i did the following:

 * created crashing test script (currently ~150 Lines)

 * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a
bit newer than 11.3)

 * created a core dump

 * tar'gz ed it together

 and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz

important contents:

 scrash.php : the php script with the code to crash (run with php -e)

 scrash.php.log : the output of the script till it crashed

 php-bt.txt : output of "bt" and "bt full"

 core : the coredump itself



maybe that helps already,

regards cobexer


Previous Comments:

[2010-07-18 19:39:03] fel...@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with ,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.



--------
[2010-07-17 23:48:30] cobexer at gmail dot com

Description:

the crash occuring is most likely related to very high integer/double
values(>10M) being inserted in a long string(~20K).

the problem does not occur on PHP5.3.something so it might be a simple
backport :). unless somebody can tell me how i get more information out
of the crashing process this is all i have (trying to print local
variables of the crashing function results in:



(gdb) p **regex

Cannot access memory at address 0x686f72393438343e

os similar



the regular expression involved is most likely:

'/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/'

executed by preg_replace_callback, where the callback is an
array('class_name', 'some_private_function')



if required i try to build a small test script and attach that - but i
guess its not required.





probably related to http://bugs.php.net/bug.php?id=39016



reproducible: always



Test script:
---


Expected result:

no php crash correctly replaced string

Actual result:
--
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f877c078750 (LWP 6259)]

preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, is_callable_replace=0 '\0')

at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

warning: Source file is more recent than executable.

32  if (zvalue->type <= IS_BOOL) {

(gdb) bt

#0  preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, 

is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

#1  0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200

#2  0x7f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#3  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5760) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#4  0x7f8774cd8134 in execute (op_array=0xef48b0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#5  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5e70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#6  0x7f8774cd8134 in execute (op_array=0xf03780) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#7  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff6330) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#8  0x7f8774cd8134 in execute (op_array=0xf02c90) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#9  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff9ac0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#10 0x7f8774cd8134 in execute (op_array=0xa2aa70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#11 0x7f8774cb41c8 in zend_execute_scripts (type=32

Bug #52368 [Com]: crash in preg_replace_impl

2010-08-12 Thread cobexer at gmail dot com
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1

 ID: 52368
 Comment by: cobexer at gmail dot com
 Reported by:cobexer at gmail dot com
 Summary:crash in preg_replace_impl
 Status: Feedback
 Type:   Bug
 Package:PCRE related
 Operating System:   Debian Lenny (5.0.5)
 PHP Version:5.2.13
 Block user comment: N

 New Comment:

I did a quick test today

using http://snaps.php.net/php5.3-latest.tar.gz (from yesterday) does
not crash(as expected since the problem didn't exist there anyway).

however using http://snaps.php.net/php5.2-latest.tar.gz (from yesterday)
still crashes on the same line as before.

(tested on i586 openSuSE 11.4(Factory))



regards cobexer


Previous Comments:

[2010-08-09 03:19:31] fel...@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/




[2010-07-30 21:24:40] cobexer at gmail dot com

hmm that crash is hard to nail down,

it doesn't crash on all of my computers, therefore i did the following:

 * created crashing test script (currently ~150 Lines)

 * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a
bit newer than 11.3)

 * created a core dump

 * tar'gz ed it together

 and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz

important contents:

 scrash.php : the php script with the code to crash (run with php -e)

 scrash.php.log : the output of the script till it crashed

 php-bt.txt : output of "bt" and "bt full"

 core : the coredump itself



maybe that helps already,

regards cobexer


[2010-07-18 19:39:03] fel...@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with ,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.



--------
[2010-07-17 23:48:30] cobexer at gmail dot com

Description:

the crash occuring is most likely related to very high integer/double
values(>10M) being inserted in a long string(~20K).

the problem does not occur on PHP5.3.something so it might be a simple
backport :). unless somebody can tell me how i get more information out
of the crashing process this is all i have (trying to print local
variables of the crashing function results in:



(gdb) p **regex

Cannot access memory at address 0x686f72393438343e

os similar



the regular expression involved is most likely:

'/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/'

executed by preg_replace_callback, where the callback is an
array('class_name', 'some_private_function')



if required i try to build a small test script and attach that - but i
guess its not required.





probably related to http://bugs.php.net/bug.php?id=39016



reproducible: always



Test script:
---


Expected result:

no php crash correctly replaced string

Actual result:
--
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f877c078750 (LWP 6259)]

preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, is_callable_replace=0 '\0')

at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

warning: Source file is more recent than executable.

32  if (zvalue->type <= IS_BOOL) {

(gdb) bt

#0  preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, 

is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

#1  0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200

#2  0x7f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#3  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5760) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:234

#4  0x7f8774cd8134 in execute (op_array=0xef48b0) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#5  0x7f8774ceecde in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5e70) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:2

Bug #52368 [Com]: crash in preg_replace_impl

2010-08-30 Thread cobexer at gmail dot com
Edit report at http://bugs.php.net/bug.php?id=52368&edit=1

 ID: 52368
 Comment by: cobexer at gmail dot com
 Reported by:cobexer at gmail dot com
 Summary:crash in preg_replace_impl
 Status: Feedback
 Type:   Bug
 Package:PCRE related
 Operating System:   Debian Lenny (5.0.5)
 PHP Version:5.2.13
 Block user comment: N

 New Comment:

i found a workaround for the crash:

as soon as i removed the $count parameter(and the $limit) tha crash was
gone =)



mixed preg_replace_callback  ( mixed $pattern  , callback $callback  ,
mixed $subject  [, int $limit = -1  [, int &$count  ]] )



regards cobexer


Previous Comments:

[2010-08-12 21:19:59] cobexer at gmail dot com

I did a quick test today

using http://snaps.php.net/php5.3-latest.tar.gz (from yesterday) does
not crash(as expected since the problem didn't exist there anyway).

however using http://snaps.php.net/php5.2-latest.tar.gz (from yesterday)
still crashes on the same line as before.

(tested on i586 openSuSE 11.4(Factory))



regards cobexer


[2010-08-09 03:19:31] fel...@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/




[2010-07-30 21:24:40] cobexer at gmail dot com

hmm that crash is hard to nail down,

it doesn't crash on all of my computers, therefore i did the following:

 * created crashing test script (currently ~150 Lines)

 * compiled php 5.2.14 (with -O0) (in /php) on a i586 openSUSE Factory(a
bit newer than 11.3)

 * created a core dump

 * tar'gz ed it together

 and uploaded that to http://gomorrah-online.de/php-5.2.14-crash.tar.gz

important contents:

 scrash.php : the php script with the code to crash (run with php -e)

 scrash.php.log : the output of the script till it crashed

 php-bt.txt : output of "bt" and "bt full"

 core : the coredump itself



maybe that helps already,

regards cobexer


[2010-07-18 19:39:03] fel...@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with ,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.



------------
[2010-07-17 23:48:30] cobexer at gmail dot com

Description:

the crash occuring is most likely related to very high integer/double
values(>10M) being inserted in a long string(~20K).

the problem does not occur on PHP5.3.something so it might be a simple
backport :). unless somebody can tell me how i get more information out
of the crashing process this is all i have (trying to print local
variables of the crashing function results in:



(gdb) p **regex

Cannot access memory at address 0x686f72393438343e

os similar



the regular expression involved is most likely:

'/\{([A-Z0-9_]*)(?:\|(?P[A-Z0-9_]+))?\}/'

executed by preg_replace_callback, where the callback is an
array('class_name', 'some_private_function')



if required i try to build a small test script and attach that - but i
guess its not required.





probably related to http://bugs.php.net/bug.php?id=39016



reproducible: always



Test script:
---


Expected result:

no php crash correctly replaced string

Actual result:
--
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f877c078750 (LWP 6259)]

preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, is_callable_replace=0 '\0')

at /usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

warning: Source file is more recent than executable.

32  if (zvalue->type <= IS_BOOL) {

(gdb) bt

#0  preg_replace_impl (ht=5, return_value=0x12a8a90,
return_value_ptr=0x137c970, this_ptr=0xb9e82fb02f28a27c,
return_value_used=0, 

is_callable_replace=0 '\0') at
/usr/src/php5/source/php5-5.2.13/Zend/zend_variables.h:32

#1  0x7f8774cef3cd in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fff5410) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:200

#2  0x7f8774cd8134 in execute (op_array=0xf02040) at
/usr/src/php5/source/php5-5.2.13/Zend/zend_vm_execute.h:92

#3  0x7f8774ceecde in z