[php-maint] Bug#649733: Bug#649733: php5-cgi: Segmentation fault in preg_replace()

Ondřej Surý ondrej at debian.org
Fri May 3 10:12:38 UTC 2013 

reassign 649733 libpcre3
affects 649733 php5
found 649733 pcre3/8.02-1.1
found 649733 pcre3/1:8.31-2
thank you

The segfault happens in some infinite recursion in libpcre3:

#0  match (eptr=0x7ffff44ea9c1 ' ' <repeats 200 times>...,
ecode=0xf92027 "r", mstart=0x7ffff44e7f30 "c", ' ' <repeats 199
times>..., offset_top=6, md=0x7fffffffa800, eptrb=0x0, rdepth=10898)
    at pcre_exec.c:484
#1  0x00007ffff64e8345 in match (eptr=0x7ffff44ea9c1 ' ' <repeats 200
times>..., ecode=<optimized out>, mstart=0x7ffff44e7f30 "c", ' '
<repeats 199 times>..., offset_top=6, md=<optimized out>,
    eptrb=0x0, rdepth=10897) at pcre_exec.c:2000
[...]
#10898 0x00007ffff64e5332 in match (eptr=0x7ffff44e7f31 ' ' <repeats
200 times>..., ecode=0xf92015 "\177", mstart=0x7ffff44e7f30 "c", ' '
<repeats 199 times>..., offset_top=2,
    md=<optimized out>, eptrb=0x0, rdepth=0) at pcre_exec.c:957
#10899 0x00007ffff64e8f4c in pcre_exec (argument_re=0xf91fe0,
extra_data=0x7fffffffaa70, subject=<optimized out>, length=<optimized
out>, start_offset=0, options=0, offsets=0x7ffff44e7ba0,
    offsetcount=9) at pcre_exec.c:6919
#10900 0x0000000000477383 in php_pcre_replace_impl
(pce=0x7ffff4104030, subject=0x7ffff44e7750 "`wN\364\377\177",
subject_len=-197279046, replace_val=0x7fffffffabb0,
is_callable_replace=0,
    result_len=0x300000000, limit=4686387,
replace_count=0x7fffffffffff) at
/tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:1054
#10901 0x0000000000478233 in php_replace_in_subject
(regex=0x7ffff44e6028, replace=0x7ffff44e5ff8, subject=0x7ffff44b3180,
result_len=0x7fffffffabb0, limit=32767,
is_callable_replace=-196187992,
    replace_count=0x4787f7) at /tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:1281
#10902 0x00000000004787f7 in preg_replace_impl.isra.9 (ht=3,
return_value=0x7ffff44e5fc8, is_callable_replace=0, is_filter=0) at
/tmp/buildd/php5-5.4.4/ext/pcre/php_pcre.c:1379
#10903 0x0000000000746bd2 in zend_do_fcall_common_helper_SPEC
(execute_data=0x7ffff44b3060) at
/tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:642

#10904 0x0000000000700447 in execute (op_array=0x7ffff44e68a8) at
/tmp/buildd/php5-5.4.4/Zend/zend_vm_execute.h:410
#10905 0x00000000006a028e in zend_execute_scripts (type=8,
retval=0x7ffff44e6888, file_count=3) at
/tmp/buildd/php5-5.4.4/Zend/zend.c:1279
#10906 0x000000000063f863 in php_execute_script (primary_file=0x0) at
/tmp/buildd/php5-5.4.4/main/main.c:2473
#10907 0x00000000007491b3 in do_cli (argc=0, argv=0x7fffffffe81f) at
/tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:988
#10908 0x000000000043110a in main (argc=32767, argv=0xdb9220) at
/tmp/buildd/php5-5.4.4/sapi/cli/php_cli.c:1361

Ondrej

On Wed, Nov 23, 2011 at 5:14 PM, Olaf van der Spek <olaf at xwis.net> wrote:
> Package: php5-cgi
> Version: 5.3.3-7+squeeze3
> Severity: normal
>
> Hi,
>
> $ php preg.php
> Segmentation fault
>
> $ cat preg.php
> <?php
>   preg_replace("/c((\s|.)+?)\/c/", "\\1", 'c' . str_pad('', 16000) . '/c');
>
> Might be limited to x64.
>
> Greetings,
>
> Olaf
>
> -- System Information:
> Debian Release: 6.0.3
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages php5-cgi depends on:
> ii  libbz2-1.0         1.0.5-6               high-quality block-sorting file co
> ii  libc6              2.11.2-10             Embedded GNU C Library: Shared lib
> ii  libcomerr2         1.41.12-4stable1      common error description library
> ii  libdb4.8           4.8.30-2              Berkeley v4.8 Database Libraries [
> ii  libgssapi-krb5-2   1.8.3+dfsg-4squeeze2  MIT Kerberos runtime libraries - k
> ii  libk5crypto3       1.8.3+dfsg-4squeeze2  MIT Kerberos runtime libraries - C
> ii  libkrb5-3          1.8.3+dfsg-4squeeze2  MIT Kerberos runtime libraries
> ii  libmagic1          5.04-5                File type determination library us
> ii  libonig2           5.9.1-1               Oniguruma regular expressions libr
> ii  libpcre3           8.02-1.1              Perl 5 Compatible Regular Expressi
> ii  libqdbm14          1.8.77-4              QDBM Database Libraries [runtime]
> ii  libssl0.9.8        0.9.8o-4squeeze4      SSL shared libraries
> ii  libxml2            2.7.8.dfsg-2+squeeze1 GNOME XML library
> ii  mime-support       3.48-1                MIME files 'mime.types' & 'mailcap
> ii  php5-common        5.3.3-7+squeeze3      Common files for packages built fr
> ii  tzdata             2011k-0squeeze1       time zone and daylight-saving time
> ii  ucf                3.0025+nmu1           Update Configuration File: preserv
> ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime
>
> php5-cgi recommends no packages.
>
> Versions of packages php5-cgi suggests:
> pn  php-pear                      <none>     (no description available)
>
> -- no debconf information
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list