#48501 [Opn->Csd]: Crash with preg_replace_callback

scottmac Mon, 08 Jun 2009 14:54:10 -0700

 ID:               48501
 Updated by:       scott...@php.net
 Reported By:      cobexer at gmail dot com
-Status:           Open
+Status:           Closed
 Bug Type:         PCRE related
 Operating System: Linux/openSuSE 11.1
 PHP Version:      5.2.9
 New Comment:


This was only fixed in 5.3, I've now backported it to 5.2.


Previous Comments:
------------------------------------------------------------------------

[2009-06-08 21:38:04] cobexer at gmail dot com

after submitting I found a similar bug ... #44214
but that one is closed and seems to be "fixed" since one year now...

------------------------------------------------------------------------

[2009-06-08 21:33:44] cobexer at gmail dot com

Description:
------------
when i tried to match nested patterns my apache2 with php crashed -
however for similar inputs a very similar regular expression is in use
and causes no problems... (but the crash seems to be related to the
number of nesting levels)

Reproduce code:
---------------
<?php
        //long test string -> crash
        $match=
"{IF(a)}if{IF(a)}fi{IF(a)}if{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{ELSE}else{IF(a)}if{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}{/IF}";
        //shorter test string -> still crash, but if 1 remove the first nested
{IF... it doesnt crash any more
        $match=
"{IF(a)}if{IF(a)}fi{ELSE}else{/IF}{ELSE}else{IF(a)}if{ELSE}else{/IF}{/IF}";
        $reg= '/\{IF\((.*)\)\}([^\{]+?)(\{ELSE\})?([^\{]*?)(\{\/IF\})/Us';
        $matches= array();
        function cback($t) { global $matches; $matches[]= $t; return '';}
        preg_replace_callback($reg, 'cback', $match);
        var_dump($matches);
?>

Expected result:
----------------
array with the mathes of the regExp correctly nested... but i was in
the stage of designing the regular expression itself - at least i did
not expect a crash...

Actual result:
--------------
Apache/2.2.10 (php loaded as module) error_log:
without 3rd party extensions:
[notice] child pid 11335 exit signal Segmentation fault (11)
with XDebug enabled:
[error] [client 127.0.0.1] ALERT - possible memory corruption detected
- unknown Hashtable destructor (attacker '127.0.0.1', file
'/path/file.php')
when running php from the command line (no crash -> no backtrace):
$ php reproduce.php #same content as the code posted above!
array(2) {
  [0]=>
  *RECURSION*
  [1]=>
  *RECURSION*
}
ALERT - possible memory corruption detected - unknown Hashtable
destructor (attacker 'REMOTE_ADDR not set', file 'unknown')



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48501&edit=1

#48501 [Opn->Csd]: Crash with preg_replace_callback

Reply via email to