Bug 133891 - php Segmentation fault in preg_match with about 16000 bytes data
php Segmentation fault in preg_match with about 16000 bytes data
Product: Fedora
Classification: Fedora
Component: php (Show other bugs)
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Joe Orton
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2004-09-28 06:35 EDT by Doncho N. Gunchev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-30 10:04:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Doncho N. Gunchev 2004-09-28 06:35:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)

Description of problem:
    PHP's preg_match segfaults with more than about 13495 (random, but
with 16000 - always).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install FC1/FC3t2 (haven't tested others yet)
2. do preg_match('/(.|\n)*/', $d, $a) with $d > 16000 bytes

Actual Results:  Segmentation fault

Expected Results:  Anything else :)

Additional info:

here's my test script:

# somewhere around 13495 bytes
dd if=/dev/zero bs=1 count=16000 > crash.html
cat << EOF > crash.php
#!/usr/bin/php -q
set_time_limit(0);      // Don't die today

\$f = 'crash.html';
\$h = fopen(\$f, 'r');
\$d = fread(\$h, 1024 * 16000);
if (! preg_match('/(.|\n)*/', \$d, \$a)) {
    die("Can not parse document!\n");
} else {
    echo("Match: '{\$a[1]}'\n");
chmod a+x crash.php

PS: adjust php.ini to allow more than 8MB mem usage (16/32).
I tested this with FC1 and FC3-t2.
Comment 1 Joe Orton 2004-09-28 07:58:05 EDT
Yes, pcre handles such expressions using function recursion so it
exhausts the stack for a long input string, we saw this elsewhere
Comment 2 Doncho N. Gunchev 2004-09-28 08:43:20 EDT
    Is there pcre bug (I can't find it), so this bug can be marked as
depending on it?
    If there's no such bug report can someone fill it (or should I),
because there are other programs that use this library? Postfix with
pcre enabled can be crashed if it is parsing big message body with
pcre for example. Looks serious :(
Comment 3 Joe Orton 2004-10-07 12:16:40 EDT
Yes, many bugs upstream have been filed upstream and are usually
closed with "it's a pcre problem".

Comment 4 Doncho N. Gunchev 2004-10-11 17:16:14 EDT
Yes, and sadly, I should report that even pcre-5.0 (which changes
license to BSD and should fix some UTF-8 related bugs) does not help.
Is there any alternative? Can perl's regex engine be used instead?
Comment 5 Matthew Miller 2006-07-10 19:22:37 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 6 John Thacker 2006-10-30 10:04:18 EST
Closing per lack of response to previous request for information.  This bug was
originally filed against FC3 and has remained in NEEDINFO state for quite some
time.  Many packages and bugfixes have been made since the last substantive bug

Note that FC3 and FC4 are supported by Fedora Legacy for security
fixes only.  Please install a still supported version and retest.  If
it still occurs on FC5 or FC6, please reopen and assign to the correct
version.  Otherwise, if this a security issue, please change the
product to Fedora Legacy.  Thanks, and we are sorry that we did not
get to this bug earlier.
Comment 7 Doncho N. Gunchev 2007-03-01 17:46:44 EST
The bug is still present in FC6, but it's not RHEL/FC specific, maybe not so
critical and would be better to be fixed upstream...
If someone is interested and can help - please reopen(mail me to).

Note You need to log in before you can comment on or make changes to this bug.