#45546 [Com]: PCRE with utf8 kill apache childprocess

[hempalex at gmail dot com]

 ID:               45546
 Comment by:       hempalex at gmail dot com
 Reported By:      kaiser at macbureau dot de
 Status:           Feedback
 Bug Type:         PCRE related
 Operating System: FreeBSD 7
 PHP Version:      5.2.6
 New Comment:

I reproduced this on FreeBSD 7.0 + Apache/2.2.9 + PHP/5.2.6 (bundled
prce)


script:

<?php 

$str = str_repeat('a', 10000);
    $utf8 =
(preg_match("/^([\x09\x0A\x0D\x20-\x7E]|[\xC2-\xDF][\x80-\xBF]|\xE0[\xA0-\xBF][\x80-\xBF]|[\xE1-\xEC\xEE\xEF][\x80-\xBF]{2}|\xED[\x80-\x9F][\x80-\xBF]|\xF0[\x90-\xBF][\x80-\xBF]{2}|[\xF1-\xF3][\x80-\xBF]{3}|\xF4[\x80-\x8F][\x80-\xBF]{2})*$/",
$str)) ? "yes" : "no"; 
        echo $utf8;

?>
mod_php: 
   in apache logs: [notice] child pid 54586 exit signal Illegal
instruction (4)

in cli works fine!


Previous Comments:
------------------------------------------------------------------------

[2008-07-22 23:08:28] nikolas dot hagelstein at gmail dot com

Confirmed. 

System:
FreeBSD 7
PHP 5.2.6 (PCRE Library Version => 7.6 2008-01-28)
stack size              (kbytes, -s) 524288

Backtrace:

#6216 0x000000080407a494 in match () from
/usr/local/lib/php/20060613/pcre.so
#
#6217 0x000000080407701c in match () from
/usr/local/lib/php/20060613/pcre.so
#
#6218 0x000000080407a494 in match () from
/usr/local/lib/php/20060613/pcre.so
#
#6219 0x000000080407701c in match () from
/usr/local/lib/php/20060613/pcre.so
#
#6220 0x0000000804076d05 in match () from
/usr/local/lib/php/20060613/pcre.so
#
#6221 0x000000080407f12f in php_pcre_exec ()
#
   from /usr/local/lib/php/20060613/pcre.so
#
 
#
#6222 0x0000000804084c02 in php_pcre_match_impl ()
#
   from /usr/local/lib/php/20060613/pcre.so
#
#6223 0x000000080408569b in php_do_pcre_match ()
#
   from /usr/local/lib/php/20060613/pcre.so
#
#6224 0x0000000000538912 in zend_do_fcall_common_helper_SPEC ()
#
#6225 0x0000000000528603 in execute ()
#
#6226 0x00000000005383a4 in zend_do_fcall_common_helper_SPEC ()
#
#6227 0x0000000000528603 in execute ()
#
#6228 0x0000000000508dd3 in zend_execute_scripts ()
#
#6229 0x00000000004c5a5d in php_execute_script ()

------------------------------------------------------------------------

[2008-07-19 12:19:46] [EMAIL PROTECTED]

I can reproduce. (PHP 5.2.7-dev)

==6244== Stack overflow in thread 1: can't grow stack to 0xBE04DFC0
==6244== 
==6244== Process terminating with default action of signal 11
(SIGSEGV)
==6244==  Access not within mapped region at address 0xBE04DFC0
==6244==    at 0x8099F78: match (pcre_exec.c:1287)
==6244== Stack overflow in thread 1: can't grow stack to 0xBE04DF9C
==6244== 
==6244== Process terminating with default action of signal 11
(SIGSEGV)
==6244==  Access not within mapped region at address 0xBE04DF9C
==6244==    at 0x401D200: _vgnU_freeres (vg_preloaded.c:56)


------------------------------------------------------------------------

[2008-07-19 11:13:41] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.3-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.3-win32-installer-latest.msi

I can't reproduce the crash here, nor valgrind finds any problem. Can
you please try the cvs version please?

------------------------------------------------------------------------

[2008-07-17 19:29:53] kaiser at macbureau dot de

Sorry, c&p error, thanks, looking forward to hear from you.

./test.php
Segmentation fault (core dumped)




#!/usr/local/bin/php
<?php

function is_utf8($str) {
                return (preg_match('/^([\x00-\x7f]|[\xc2-\xdf][\x80-
\xbf]|\xe0[\xa0-\xbf][\x80-\xbf]|[\xe1-\xec][\x80-\xbf]{2}|\xed[\x80-
\x9f][\x80-
\xbf]|[\xee-\xef][\x80-\xbf]{2}|f0[\x90-\xbf][\x80-\xbf]{2}|[\xf1-
\xf3][\x80-
\xbf]{3}|\xf4[\x80-\x8f][\x80-\xbf]{2})*$/', $str) === 1);
}

$i=0;
$str = '';
while ($i<5000) {
    $str .= 'a';
    $i++;
}

is_utf8($str);

?>

------------------------------------------------------------------------

[2008-07-17 17:53:51] [EMAIL PROTECTED]

the pasted code is incomplete (doesn't even run). Please provide a
complete, but short, reproducible script.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/45546

-- 
Edit this bug report at http://bugs.php.net/?id=45546&edit=1