ID: 26020
Updated by: [email]sniperphp.net[/email]
Reported By: coldrain at workingonit dot org
-Status: Open
+Status: Bogus
Bug Type: PCRE related
Operating System: Linux
PHP Version: 4.3.3
New Comment:

Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments
to the existing bug instead.

Thank you for your interest in PHP.

See bug #25754 (I get the same GDB backtraces with your example script
and the one in that report)



Previous Comments:
------------------------------------------------------------------------

[2003-10-28 16:54:12] coldrain at workingonit dot org

Earlier this evening, I installed a fresh 4.3.3 from source on a Debian
3.1 box with:
leo:/work/php-4.3.3# ./configure --with-mysql
leo:/work/php-4.3.3# make
leo:/work/php-4.3.3# make install
Pretty default, nothing fancy.
It didn't change anything with regards to the segfault problem with
preg_replace.

In [url]http://www.workingonit.org/bug26020/bug26020.tgz[/url] you find 4 files, 2
html files to be used as source files, and the 2 accompanying php
files. You wille have to adapt the php scripts to you own needs (aka
set the $folder).

As mentioned before, the results apparantly are dependant on what
platform the scripts are executed, so you might have to twiddle with
the html source files (add or delete characters from the body) in order
to reproduce the problem.

I have to admit I'm not very knowledgable on the PCRE library itself.
Otoh, it's odd that two different distro's with the same installed cli
version of php (4.2.2) give different results in how big the
to-be-converted file can be. Even if one of these boxes is 'upgraded'
to the newest version of php, the problem remains. Not really upgraded,
since I removed the previous 4.2.2 install.

If you need more info, config, or whatever, I'm happy to provide it.

------------------------------------------------------------------------

[2003-10-28 16:03:09] [email]sniperphp.net[/email]

Please provide the configure line you used to configure PHP
and also a complete example. I actually think this is not really any
bug as is, but simply a limitation in PCRE library.
The maximum length of matched pattern. (iirc..:)



------------------------------------------------------------------------

[2003-10-28 12:08:57] coldrain at workingonit dot org

Description:
------------
Variable $fileContent is a rather small html file. A function (see
below) converts some comment tags and writes the output to a different
file. On a RH 8 install, the maximum size of this html file is 9233
bytes. Add 1 or more characters to the html file, and the function
causes a segmentation fault. PHP version is 4.2.2 which comes standard
with RedHat.
Also tested on a Debian 3.1 install, where the max size of the source
html file proved to be 11690 bytes.

Reproduce code:
---------------
function revertComments($fileContent) {
$pattern =
"/<div\s+id=\"?WebEdit\"?\s+comment=\"([^\"]+)\">((?:(?:<div[^>]*>[\d\D]*<\/div>)|[\d\D]*)*)<\/div>/siU";
$replace = "<!-- #BeginEditable \"\\1\" -->\\2<!-- #EndEditable
-->";
$fileContent = preg_replace($pattern, $replace, $fileContent);
return $fileContent;
}


Expected result:
----------------
The function should convert the input.

Actual result:
--------------
The script I used was called jjj.php. The output is only part of the
strace. The size of the source html to be converted was 9234 bytes.

open("jjj.php", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
getcwd("/var/www/html/interselect-r30/testjes", 4096) = 38
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
0
lstat64("/var/www/html/interselect-r30", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes", {st_mode=S_IFDIR|0757,
st_size=4096, ...}) = 0
lstat64("/var/www/html/interselect-r30/testjes/jjj.php",
{st_mode=S_IFREG|0644, st_size=697, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=697, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<?php\n\n\n\nfunction revertComments"..., 4096) = 697
_llseek(3, 0, [0], SEEK_SET) = 0
brk(0) = 0x824c000
brk(0x8250000) = 0x8250000
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffd1b0) = -1 ENOTTY (Inappropriate
ioctl for device)
brk(0) = 0x8250000
brk(0x8251000) = 0x8251000
read(3, "<?php\n\n\n\nfunction revertComments"..., 8192) = 697
read(3, "", 4096) = 0
brk(0) = 0x8251000
brk(0x8252000) = 0x8252000
read(3, "", 8192) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE, 0xbfffc150) = -1 ENOTTY (Inappropriate
ioctl for device)
close(3) = 0
munmap(0x4001a000, 4096) = 0
open("/var/www/html/interselect-r30/testjes/content.html", O_RDONLY) =
3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9235, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
read(3, "<div id=\"WebEdit\" comment=\"wijzi"..., 4096) = 4096
read(3, "to cause problems (at least that"..., 4096) = 4096
read(3, "y frustrated with the lack of pr"..., 4096) = 1043
read(3, "", 4096) = 0
close(3) = 0
munmap(0x4001a000, 4096) = 0
brk(0) = 0x8252000
brk(0x8254000) = 0x8254000
brk(0) = 0x8254000
brk(0x8259000) = 0x8259000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

The same script with the same html source file but 1 character removed
has more or less the same output as above, but continues (see below)
instead of segfaulting:

open("/var/www/html/interselect-r30/testjes/geconverteerd.html",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x4001a000
write(3, "<!-- #BeginEditable \"wijzigbare "..., 8192) = 8192
write(3, "rustrated with the lack of progr"..., 1054) = 1054
close(3) = 0
munmap(0x4001a000, 4096) = 0
write(1, "X-Powered-By: PHP/4.2.2", 23X-Powered-By: PHP/4.2.2) = 23
write(1, "\r\n", 2
) = 2
write(1, "Content-type: text/html", 23Content-type: text/html) = 23
write(1, "\r\n", 2
) = 2
write(1, "\r\n", 2
) = 2
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) =
0
munmap(0x408d6000, 40280) = 0
munmap(0x408e9000, 171372) = 0
munmap(0x40913000, 42104) = 0
munmap(0x4091e000, 42532) = 0
munmap(0x40792000, 797228) = 0
munmap(0x40855000, 76604) = 0
munmap(0x40868000, 384604) = 0
munmap(0x408c6000, 64436) = 0
munmap(0x40014000, 4552) = 0
munmap(0x408e0000, 34836) = 0
munmap(0x40929000, 221952) = 0
munmap(0x40016000, 14392) = 0
munmap(0x40969000, 509688) = 0
_exit(0) = ?



------------------------------------------------------------------------


--
Edit this bug report at [url]http://bugs.php.net/?id=26020&edit=1[/url]