[pcre-dev] [Bug 1617] New: Segmentation fault in preg_match(…

Αρχική Σελίδα
Delete this message
Συντάκτης: Henri Salo
Ημερομηνία:  
Προς: pcre-dev
Αντικείμενο: [pcre-dev] [Bug 1617] New: Segmentation fault in preg_match() with PHP 5.6.8/5.5.24
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1617
           Summary: Segmentation fault in preg_match() with PHP 5.6.8/5.5.24
           Product: PCRE
           Version: N/A
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: low
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: henri+pcre@???
                CC: pcre-dev@???



Please ask if you need more information or details.

poc.php:

<?php
$pattern = file_get_contents($argv[1]);
preg_match($pattern, 'henri', $matches, PREG_OFFSET_CAPTURE, 3);
?>

echo "$(cat afl-php-001)"; ./build/php/5.6.8/bin/php -v;
./build/php/5.6.8/bin/php poc.php afl-php-001

((?1)+()(())())*())
PHP 5.6.8 (cli) (built: Apr 17 2015 09:28:04)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
Segmentation fault

(gdb) run poc.php afl-php-001
Starting program: /home/fgeek/build/php/5.6.8/bin/php poc.php afl-php-001
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005a6d5c in first_significant_code (skipassert=1, code=0x1dba9d9 "u")
at /home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:1648
1648      switch ((int)*code)
(gdb) bt full
#0  0x00000000005a6d5c in first_significant_code (skipassert=1, code=0x1dba9d9
"u") at /home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:1648
No locals.
#1  could_be_empty_branch (code=0x1dba9d6 "\201", endcode=0x1dbaa0e "", utf=0,
cd=0x7fffffff92f0, recurses=0x0) at
/home/fgeek/temp/php-5.6.8/ext/pcre/pcrelib/pcre_compile.c:2343
        c = <optimized out>
        this_recurse = <error reading variable this_recurse (Cannot access
memory at address 0x7fffff7fefe8)>
#2  0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) list
1643    static const pcre_uchar*
1644    first_significant_code(const pcre_uchar *code, BOOL skipassert)
1645    {
1646    for (;;)
1647      {
1648      switch ((int)*code)
1649        {
1650        case OP_ASSERT_NOT:
1651        case OP_ASSERTBACK:
1652        case OP_ASSERTBACK_NOT:


fgeek@sid:~$ valgrind ./build/php/5.6.8/bin/php poc.php afl-php-001
==12892== Memcheck, a memory error detector
==12892== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==12892== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==12892== Command: ./build/php/5.6.8/bin/php poc.php afl-php-001
==12892== 
==12892== Stack overflow in thread 1: can't grow stack to 0xffe801ff8
==12892== 
==12892== Process terminating with default action of signal 11 (SIGSEGV)
==12892==  Access not within mapped region at address 0xFFE801FF8
==12892==    at 0x5A6CED: could_be_empty_branch (pcre_compile.c:2339)
==12892==  If you believe this happened as a result of a stack
==12892==  overflow in your program's main thread (unlikely but
==12892==  possible), you can try to increase the size of the
==12892==  main thread stack using the --main-stacksize= flag.
==12892==  The main thread stack size used in this run was 8388608.
==12892== Stack overflow in thread 1: can't grow stack to 0xffe801ff0
==12892== 
==12892== Process terminating with default action of signal 11 (SIGSEGV)
==12892==  Access not within mapped region at address 0xFFE801FF0
==12892==    at 0x4A236C0: _vgnU_freeres (vg_preloaded.c:58)
==12892==  If you believe this happened as a result of a stack
==12892==  overflow in your program's main thread (unlikely but
==12892==  possible), you can try to increase the size of the
==12892==  main thread stack using the --main-stacksize= flag.
==12892==  The main thread stack size used in this run was 8388608.
==12892== 
==12892== HEAP SUMMARY:
==12892==     in use at exit: 3,066,152 bytes in 11,480 blocks
==12892==   total heap usage: 11,846 allocs, 366 frees, 3,133,021 bytes
allocated
==12892== 
==12892== LEAK SUMMARY:
==12892==    definitely lost: 0 bytes in 0 blocks
==12892==    indirectly lost: 0 bytes in 0 blocks
==12892==      possibly lost: 0 bytes in 0 blocks
==12892==    still reachable: 3,066,152 bytes in 11,480 blocks
==12892==         suppressed: 0 bytes in 0 blocks
==12892== Rerun with --leak-check=full to see details of leaked memory
==12892== 
==12892== For counts of detected and suppressed errors, rerun with: -v
==12892== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault



--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email