https://bugs.exim.org/show_bug.cgi?id=2035
Bug ID: 2035
Summary: Segmentation fault in PHP7.1.1(bundled PCRE8.38)
Product: PCRE
Version: 8.38
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: idaifish@???
CC: pcre-dev@???
Segmentation fault in php_src/ext/pcre/pcrelib/pcre_jit_compile.c:7336.
$ php -r "echo PCRE_VERSION;"
8.38 2015-11-23
$ php -v
PHP 7.1.1 (cli) (built: Feb 12 2017 15:35:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
Test script:
---------------
<?php
$pattern = "/(((?(?!))0(?1))(?''))/";
preg_match($pattern, "helloworld");
?>
Actual result:
--------------
ASAN Result:
==106214==ERROR: AddressSanitizer: SEGV on unknown address 0x60b000017fe0 (pc
0x000000750be8 bp 0x7ffe5a0aeb60 sp 0x7ffe5a0adf00 T0)
==106214==The signal is caused by a READ memory access.
#0 0x750be7 in compile_bracket_matchingpath (/tmp/php+0x750be7)
#1 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
#2 0x750fe3 in compile_bracket_matchingpath (/tmp/php+0x750fe3)
#3 0x70cf95 in compile_matchingpath (/tmp/php+0x70cf95)
#4 0x711ebd in compile_recurse (/tmp/php+0x711ebd)
#5 0x6fbe01 in _pcre_jit_compile (/tmp/php+0x6fbe01)
#6 0x6e99ed in php_pcre_study (/tmp/php+0x6e99ed)
#7 0x77b1ce in pcre_get_compiled_regex_cache (/tmp/php+0x77b1ce)
#8 0x79aa23 in php_do_pcre_match (/tmp/php+0x79aa23)
#9 0x78a61e in zif_preg_match (/tmp/php+0x78a61e)
#10 0x1a52c81 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(/tmp/php+0x1a52c81)
#11 0x17c8be3 in execute_ex (/tmp/php+0x17c8be3)
#12 0x17cae8a in zend_execute (/tmp/php+0x17cae8a)
#13 0x15c0a84 in zend_execute_scripts (/tmp/php+0x15c0a84)
#14 0x1351285 in php_execute_script (/tmp/php+0x1351285)
#15 0x1c94879 in do_cli (/tmp/php+0x1c94879)
#16 0x1c91ca0 in main (/tmp/php+0x1c91ca0)
#17 0x7f98bd6d082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x43a768 in _start (/tmp/php+0x43a768)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/php+0x750be7) in
compile_bracket_matchingpath
GDB backtrace:
#0 0x0000000000661138 in compile_bracket_matchingpath (common=0x7fffffffa5e8,
cc=0x1f04d4f "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:7336
#1 0x000000000062aa23 in compile_matchingpath (common=0x7fffffffa5e8,
cc=<optimized out>, ccend=0x1f04d57 "x", parent=0x7fffffffa870) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:8497
#2 0x0000000000609e7c in compile_recurse (common=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:9719
#3 _pcre_jit_compile (re=0x1f04d00, extra=0x1f04d70, mode=0) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_jit_compile.c:10223
#4 0x00000000005e97d5 in php_pcre_study (external_re=0x1f04d00, options=1,
errorptr=<optimized out>) at
/home/idaifish/Workspace/PHP/PHPs/php-7.1.1/ext/pcre/pcrelib/pcre_study.c:1628
#5 0x00000000006ac7e9 in pcre_get_compiled_regex_cache (regex=0x7ffff3c71120)
at ext/pcre/php_pcre.c:518
#6 0x00000000006bf5dc in php_pcre_replace (regex=0x1f1b541, subject=<optimized
out>, subject_len=<optimized out>, replace_val=<optimized out>,
is_callable_replace=<optimized out>, limit=<optimized out>,
replace_count=<optimized out>, subject_str=<optimized out>) at
ext/pcre/php_pcre.c:1132
#7 php_replace_in_subject (regex=0x7ffff3c13230, replace=0x7ffff3c13240,
subject=<optimized out>, limit=-1, is_callable_replace=0,
replace_count=0x7fffffffabf4) at ext/pcre/php_pcre.c:1495
#8 0x00000000006be0ff in preg_replace_impl (return_value=0x7fffffffac78,
regex=0x7ffff3c13230, replace=0x7ffff3c13240, subject=0x7ffff3c13250,
limit_val=-1, is_callable_replace=0, is_filter=<optimized out>) at
ext/pcre/php_pcre.c:1554
#9 0x00000000006bb5ef in zif_preg_filter (execute_data=0x7ffff3c131e0,
return_value=0x7fffffffac78) at ext/pcre/php_pcre.c:1721
#10 0x00000000015ba4b5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER
(execute_data=0x7ffff3c13030) at Zend/zend_vm_execute.h:628
#11 0x00000000014a7510 in execute_ex (ex=<optimized out>) at
Zend/zend_vm_execute.h:432
#12 0x00000000014a812b in zend_execute (op_array=0x7ffff3c7d000,
return_value=<optimized out>) at Zend/zend_vm_execute.h:474
#13 0x0000000001371f21 in zend_execute_scripts (type=<optimized out>,
retval=0x0, file_count=3) at Zend/zend.c:1474
#14 0x00000000011a84dc in php_execute_script (primary_file=0x7fffffffe218) at
main/main.c:2537
#15 0x00000000016a555d in do_cli (argc=<optimized out>, argv=<optimized out>)
at sapi/cli/php_cli.c:993
#16 0x00000000016a1dd9 in main (argc=<optimized out>, argv=<optimized out>) at
sapi/cli/php_cli.c:1381
--
You are receiving this mail because:
You are on the CC list for the bug.