Bug 41262

Summary: Embedded pcre causes runtime segfault
Product: Apache httpd-2 Reporter: Roberto C. Sanchez <roberto>
Component: AllAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: normal Keywords: MassUpdate
Priority: P2    
Version: 2.2.3   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.4   

Description Roberto C. Sanchez 2006-12-29 12:35:02 UTC 
When building the latest stable httpd on Mac OS X, the server segfaults if the
usertrack module is enabled.  This can be corrected by upgrading the embedded
pcre or using an external pcre.  I first tried to update the embedded pcre in
srclib to a newer version (7.0), but it caused the build to fail because of
unexpanded macros in the Makefile.  However, by compiling it seperately and
installing it in /usr/local/pcre, I was able to recompile httpd and have it work
with all the modules loaded.  I am using the Apple Developer tools and
configured with this command: './configure --enable-modules=all
--enable-mods-shared=all --with-included-apr --with-mpm=prefork --enable-ldap
--enable-authnz-ldap --enable-ssl --with-ldap --with-pcre=/usr/local/pcre' (To
reproduce the segfault, don't use --with-pcre).  I did not modify any of the
configuration files after running 'make install' and before running
'/usr/local/apache2/bin/apachectl start'.  I recommend updating the embedded
pcre in srclib.

Here is the gdb output of the segfaulted server:

$ gdb /usr/local/apache2/bin/httpd
GNU gdb 6.1-20040303 (Apple version gdb-437) (Fri Jan 13 18:45:48 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared
libraries ........ done

(gdb) run -k start
Starting program: /usr/local/apache2/bin/httpd -k start
Reading symbols for shared libraries ......+++ done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
 
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x7fffd69b
0x0002da60 in compile_regex (options=0, oldims=0, brackets=0xbfffefe4,
codeptr=0xbfffeb10, ptrptr=0xbfffeb0c, errorptr=0xbffff03c, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffeb04, reqbyteptr=0xbfffeafc, bcptr=0xbfffeaf4,
cd=0xbfffef98) at pcre.c:2463
2463                for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_digit];

(gdb) bt
#0  0x0002da60 in compile_regex (options=0, oldims=0, brackets=0xbfffefe4,
codeptr=0xbfffeb10, ptrptr=0xbfffeb0c, errorptr=0xbffff03c, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffeb04, reqbyteptr=0xbfffeafc, bcptr=0xbfffeaf4,
cd=0xbfffef98) at pcre.c:2463
#1  0x0002d6c7 in compile_regex (options=0, oldims=0, brackets=0xbfffefe4,
codeptr=0xbfffefe0, ptrptr=0xbfffefdc, errorptr=0xbffff03c, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffefec, reqbyteptr=0xbfffefe8, bcptr=0x0,
cd=0xbfffef98) at pcre.c:3666
#2  0x00030114 in pcre_compile (pattern=0x1849380 "^Apache=([^;,]+)|[;,][
\t]*Apache=([^;,]+)", options=0, errorptr=0xbffff03c, erroroffset=0xbffff038,
tables=0x3f2a0 "") at pcre.c:5509
#3  0x00008470 in ap_regcomp (preg=0x18493b0, pattern=0x1849380
"^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util_pcre.c:135
#4  0x000053a7 in ap_pregcomp (p=0x1806418, pattern=0x1849380
"^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util.c:268
#5  0x005a6b18 in set_and_comp_regexp (dcfg=0x1849368, p=0x1806418,
cookie_name=0x5a6ff4 "Apache") at mod_usertrack.c:203
#6  0x005a6c38 in make_cookie_dir (p=0x1806418, d=0x0) at mod_usertrack.c:268
#7  0x0001a3dc in ap_single_module_configure (p=0x1806418, s=0x180bda0,
m=0x5a7020) at config.c:2031
#8  0x00028eac in load_module (cmd=0xbffff668, dummy=0xbffff4b4,
modname=0x18491b0 "usertrack_module", filename=0x18491c8
"modules/mod_usertrack.so") at mod_so.c:294
#9  0x00017a36 in invoke_cmd (cmd=0x40060, parms=0xbffff668, mconfig=0xbffff4b4,
args=0x183d44c "") at config.c:768
#10 0x0001853a in ap_build_config_sub (p=0x180b878, temp_pool=0x184938d,
l=0xbfffe918 "híÿ¿", parms=0xbffff668, current=0xbffff51c,
curr_parent=0xbffff518, conftree=0x3f0a8) at config.c:1419
#11 0x00018b05 in ap_build_config (parms=0xbffff668, p=0x1806418,
temp_pool=0x1836418, conftree=0x3f0a8) at config.c:1202
#12 0x000192d0 in process_resource_config_nofnmatch (s=0x180bda0,
fname=0x1838ef0 "/usr/local/apache2/conf/httpd.conf", conftree=0x3f0a8,
p=0x1806418, ptemp=0x1836418, depth=0) at config.c:1612
#13 0x000195d8 in ap_process_resource_config (s=0x180bda0, fname=0x1838ef0
"/usr/local/apache2/conf/httpd.conf", conftree=0x3f0a8, p=0x1806418,
ptemp=0x1836418) at config.c:1644
#14 0x0001a1eb in ap_read_config (process=0x18044a0, ptemp=0x1836418,
filename=0x3567c "conf/httpd.conf", conftree=0x3f0a8) at config.c:2004
#15 0x00003272 in main (argc=3, argv=0xbffff98c) at main.c:610
(gdb)
Comment 1 Ruediger Pluem 2006-12-29 15:41:39 UTC 
Please execute the following additional gdb commands in the case of a crash:

bt full
info frame
info registers
p *cd

This will help us to find out which of the variables points to the offending
address (0x7fffd69b in the case below).
Comment 2 Roberto C. Sanchez 2006-12-29 16:37:09 UTC 
$ gdb /usr/local/apache2-crash/bin/httpd GNU gdb 6.1-20040303 (Apple version
gdb-437) (Fri Jan 13 18:45:48 GMT 2006)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared
libraries ........ done

(gdb) run -k start
Starting program: /usr/local/apache2-crash/bin/httpd -k start
Reading symbols for shared libraries ......+++ done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x7fffd5fb
0x0002da58 in compile_regex (options=0, oldims=0, brackets=0xbfffef94,
codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4,
cd=0xbfffef48) at pcre.c:2463
2463                for (c = 0; c < 32; c++) classbits[c] |= ~cbits[c+cbit_digit];
(gdb) bt full
#0  0x0002da58 in compile_regex (options=0, oldims=0, brackets=0xbfffef94,
codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4,
cd=0xbfffef48) at pcre.c:2463
        cbits = (const uschar *) 0xbfffe8c8 "\030íÿ¿"
        possessive_quantifier = 0
        is_quantifier = 0
        subreqbyte = -1866673032
        subfirstbyte = -1073746528
        class_lastchar = 25465965
        skipbytes = 16
        repeat_max = 0
        bravalue = 0
        condcount = -1073747768
        groupsetfirstbyte = 0
        repeat_type = 0
        req_caseopt = 0
        tempcode = (uschar *) 0x8fe53840
"øPà\217¦&à\2178Qà\217¦6à\217\2046à\217ä\027à\217h7à\217\214Qà\2176'à\217"
        inescq = 0
        ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        tempptr = (const uschar *) 0x9114b3dc "/usr/lib/libSystem.B.dylib"
        classbits = "\000\000\000\000\000\020\000\b", '\0' <repeats 23 times>
        repeat_min = 0
        after_manual_callout = 0
        c = 16
        op_type = -1073747768
        reqvary = 0
        tempreqvary = 0
        ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        code = (uschar *) 0x5d <Address 0x5d out of bounds>
        last_branch = (uschar *) 0x400a1a "Q"
        reverse_count = (uschar *) 0x0
        firstbyte = -2
        reqbyte = -2
        branchfirstbyte = -2
        branchreqbyte = -2
        bc = {
  outer = 0xbfffeaa4,
  current = 0x400a1a "Q"
}
        bcptr = (branch_chain *) 0x5d
#1  0x0002d6bf in compile_regex (options=0, oldims=0, brackets=0xbfffef94,
codeptr=0xbfffef90, ptrptr=0xbfffef8c, errorptr=0xbfffefec, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffef9c, reqbyteptr=0xbfffef98, bcptr=0x0,
cd=0xbfffef48) at pcre.c:3666
        possessive_quantifier = -1880803264
        is_quantifier = 0
        subreqbyte = -1881125354
        subfirstbyte = 0
        class_lastchar = 25465965
        skipbytes = 0
        repeat_max = 0
        bravalue = 81
        condcount = -1073747768
        groupsetfirstbyte = 0
        repeat_type = 0
        req_caseopt = 0
        tempcode = (uschar *) 0x400a1a "Q"
        inescq = 0
        ptr = (const uschar *) 0x1849469 "[^;,]+)|[;,][ \t]*Apache=([^;,]+)"
        tempptr = (const uschar *) 0x0
        classbits =
"\000\000\000\000\000\000\000\000H$\000\220â\000\000\000\003\000\000\000èêÿ¿\217&\000\220\000\000\200\001"
        repeat_min = 0
        after_manual_callout = 0
        c = 0
        op_type = -1073747768
        reqvary = 0
        tempreqvary = 0
        ptr = (const uschar *) 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        code = (uschar *) 0x5d <Address 0x5d out of bounds>
        last_branch = (uschar *) 0x400a08 "P"
        reverse_count = (uschar *) 0x0
        firstbyte = -2
        reqbyte = -2
        branchfirstbyte = 65
        branchreqbyte = 101
        bc = {
  outer = 0x0,
  current = 0x400a08 "P"
}
        bcptr = (branch_chain *) 0x5d
#2  0x0003010c in pcre_compile (pattern=0x1849460 "^Apache=([^;,]+)|[;,][
\t]*Apache=([^;,]+)", options=0, errorptr=0xbfffefec, erroroffset=0xbfffefe8,
tables=0x3f2a0 "") at pcre.c:5509
        re = (real_pcre *) 0x4009e0
        length = 182
        c = 44
        firstbyte = 46
        reqbyte = 2118144
        bracount = 1
        branch_extra = 0
        branch_newextra = 93
        item_count = 26
        name_count = 0
        max_name_size = 93
        lastitemlength = 1
        inescq = 0
        brastackptr = 0
        size = 0
        code = (uschar *) 0x400a08 "P"
        codestart = (const uschar *) 0x400a08 "P"
        ptr = (const uschar *) 0x1849460 "^Apache=([^;,]+)|[;,][
\t]*Apache=([^;,]+)"
        compile_block = {
  lcc = 0x3f2a0 "",
  fcc = 0x3f3a0 "",
  cbits = 0x3f4a0 "",
  ctypes = 0x3f5e0 "\200",
  start_code = 0x400a08 "P",
  start_pattern = 0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)",
  name_table = 0x400a08 "P",
  names_found = 0,
  name_entry_size = 3,
  top_backref = 0,
  backref_map = 0,
  req_varyopt = 0,
  nopartial = 0
}
        brastack = {142, 25465536, -1073747000, -1881125354, 0 <repeats 12
times>, -1073745932, -1073745872, 25465536, 0, 0, 0, 0, -1881125179, 0,
25465536, -1073745896, -1881125075, 0, 0, 0, -1881125628, -1073745680, 0,
-1073746904, 19822, 0, 0, 0, 0, 0, 0, 0, 2103264, 2103264, 0, 1, -1880969622,
2103264, 0, -1073746840, -1880928605, 8388608, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0,
302448, 2103264, 0, -1073746808, -1881105009, 8388608, 0, 0, 2113664, 2113664,
2103296, 0, 3154053, 2103296, 2103584, 0, 2, -1073745488, 654696, 11,
-1880947369, 3835618, 3466792, 172, -1881077209, 5942910, 3492403, 48,
-1881089198, -1879046316, -1073746720, 13, -1880969622, 1835166060, 5, 24,
-1880928605, 1831747, 46, 672912, -1881098623, 23, 48, 672912, 655464, 1,
3470204, 3272944, 3481620, 173, 171, 0, -1880947369, 1, 2, 0, -1880928605,
2118512, 48, -1073746296, -1879016158, 4196784, 48, 48, -1881131634, 2099984, 2,
0, 131072, -1073746260, 653400, 23, -1881076672, 5942857, 675941, -1073746504,
2118544, 2118544, 48, 0, -1880947369, 1, 651528, 11, -1881076672, 5942826,
707312, 0, 5251095, 16772780, 211008, 672912, 653124, 47, 3470204, 3272944,
3481620, 278, 278, 203, -1881077209, 5942928, 3481856, 672912, 651396, 23, 0,
1270440, -1881131938, 2097248, 0, -1073746312, -1881131634, 2097248, 653400, 0,
0, -1073746084, 98427, 672912, 655464, -1880982564, -1512901655, -1881085377,
-1881084870, -2035352088, 834625679, -1512901655, 834625791, 5931118, 1,
-1073746264, -1881084176, -1880803264, 5942857, -1073746280, -1881131329}
        bralenstack = "\000ïÿ¿\006\000\000\000èîÿ¿\2165à\217\020\v
\000ÀÛ4\000øîÿ¿[ðà\217ó\000
\000Xø\t\000\\ïÿ¿¿6à\217Ò{â\217é¢\210Ö?êà\217:ìà\217¥W¯\206\217èR¯é¢\210ÖÿèR¯ÿ\200Z\000\bñ\t\000\214ïÿ¿Xø\t\000@8å\217\220®Z\000\bïÿ¿0õà\217I®Z\000 RZ\000xïÿ¿iöà\217àQ
\000n\200Z\000 RZ\000I®Z\000fS\000\000`\000
\000@8å\2170õà\217\210®Z\000 RZ\000¨ïÿ¿n\000\000\000ÖQ
\000\017\200Z\000 RZ\000*®Z\000\a\000\000\000\020­Z"
#3  0x00008468 in ap_regcomp (preg=0x1849490, pattern=0x1849460
"^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util_pcre.c:135
        errorptr = 0x0
        erroffset = 0
        preg = (ap_regex_t *) 0x1849490
        pattern = 0x5d <Address 0x5d out of bounds>
        cflags = 93
#4  0x0000539f in ap_pregcomp (p=0x1806418, pattern=0x1849460
"^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)", cflags=0) at util.c:268
        preg = (ap_regex_t *) 0x1849490
        p = (struct apr_pool_t *) 0x1806418
        pattern = 0x5d <Address 0x5d out of bounds>
        cflags = 93
#5  0x005a6b18 in set_and_comp_regexp (dcfg=0x1849448, p=0x1806418,
cookie_name=0x5a6ff4 "Apache") at mod_usertrack.c:203
        danger_chars = 0
        sp = 0x0
#6  0x005a6c38 in make_cookie_dir (p=0x1806418, d=0x0) at mod_usertrack.c:268
        p = (struct apr_pool_t *) 0x1806418
#7  0x0001a3d4 in ap_single_module_configure (p=0x1806418, s=0x180bda0,
m=0x5a7020) at config.c:2031
        m = (module *) 0x5a7020
#8  0x00028ea4 in load_module (cmd=0xbffff618, dummy=0xbffff464,
modname=0x1849288 "usertrack_module", filename=0x18492a0
"modules/mod_usertrack.so") at mod_so.c:294
        modhandle = (struct apr_dso_handle_t *) 0x18492f8
        modsym = 0x5a7020
        modp = (module *) 0x5a7020
        szModuleFile = 0x18492c0 "/usr/local/apache2-crash/modules/mod_usertrack.so"
        modi = (ap_module_symbol_t *) 0x1838508
        modie = (ap_module_symbol_t *) 0x5d
        i = 5926944
        error = 0x0
        dummy = (void *) 0x5d
        filename = 0x0
#9  0x00017a2e in invoke_cmd (cmd=0x40060, parms=0xbffff618, mconfig=0xbffff464,
args=0x183d44c "") at config.c:768
        w = 0x40060 "(Å\003"
        w2 = 0x5d <Address 0x5d out of bounds>
        w3 = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        errmsg = 0x0
#10 0x00018532 in ap_build_config_sub (p=0x180b878, temp_pool=0x184946d,
l=0xbfffe8c8 "\030íÿ¿", parms=0xbffff618, current=0xbffff4cc,
curr_parent=0xbffff4c8, conftree=0x3f0a8) at config.c:1419
        ml = (ap_mod_list *) 0x180b878
        dir = 0x180b878 ""
        args = 0x183d423 "usertrack_module modules/mod_usertrack.so"
        sub_tree = (ap_directive_t *) 0x0
        retval = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        args = 0x183d423 "usertrack_module modules/mod_usertrack.so"
        cmd_name = 0x1849218 "LoadModule"
        mod = (module *) 0x3f1e0
        cmd = (const command_rec *) 0x5d
#11 0x00018afd in ap_build_config (parms=0xbffff618, p=0x1806418,
temp_pool=0x1836418, conftree=0x3f0a8) at config.c:1202
        current = (ap_directive_t *) 0x183a0a0
        curr_parent = (ap_directive_t *) 0x0
        l = 0x183d418 "LoadModule usertrack_module modules/mod_usertrack.so"
        errmsg = 0x184946d "]+)|[;,][ \t]*Apache=([^;,]+)"
        conftree = (ap_directive_t **) 0x3f0a8
#12 0x000192c8 in process_resource_config_nofnmatch (s=0x180bda0,
fname=0x1838ef0 "/usr/local/apache2-crash/conf/httpd.conf", conftree=0x3f0a8,
p=0x1806418, ptemp=0x1836418, depth=0) at config.c:1612
        parms = {
  info = 0x0,
  override = 150,
  limited = -1,
  limited_xmethods = 0x0,
  xlimited = 0x0,
  config_file = 0x1839fb0,
  directive = 0x0,
  pool = 0x1806418,
  temp_pool = 0x1836418,
  server = 0x180bda0,
  path = 0x0,
  cmd = 0x40060,
  context = 0x0,
  err_directive = 0x1849228,
  override_opts = 239
}
        cfp = (ap_configfile_t *) 0x1839fb0
        error = 0x5d <Address 0x5d out of bounds>
        rv = 25465965
#13 0x000195d0 in ap_process_resource_config (s=0x180bda0, fname=0x1838ef0
"/usr/local/apache2-crash/conf/httpd.conf", conftree=0x3f0a8, p=0x1806418,
ptemp=0x1836418) at config.c:1644
        fname = 0x1838ef0 "/usr/local/apache2-crash/conf/httpd.conf"
        dirp = (struct apr_dir_t *) 0x0
        dirent = {
  pool = 0x18,
  valid = 25,
  protection = 40,
  filetype = 4294967295,
  user = 4294967295,
  group = 4294967295,
  inode = 4294967295,
  device = 232508,
  nlink = 263868,
  size = 436166814044096,
  csize = 25398056,
  atime = 436384783398840,
  mtime = 939553087027116,
  ctime = 137439172227,
  fname = 0x1806418 "\030D\200\001\030d\204\001",
  name = 0xef <Address 0xef out of bounds>,
  filehand = 0x1808450
}
        current = 25399024
        candidates = (apr_array_header_t *) 0x5
        rv = 25465965
        path = 0x200080 "0\002 "
        finfo = {
  pool = 0x18,
  valid = 25,
  protection = 40,
  filetype = 4294967295,
  user = 4294967295,
  group = 4294967295,
  inode = 4294967295,
  device = 232508,
  nlink = 263868,
  size = 436166814044096,
  csize = 25398056,
  atime = 436384783398840,
  mtime = 939553087027116,
  ctime = 137439172227,
  fname = 0x1806418 "\030D\200\001\030d\204\001",
  name = 0xef <Address 0xef out of bounds>,
  filehand = 0x1808450
}
        dirp = (struct apr_dir_t *) 0x0
        dirent = {
  pool = 0x18,
  valid = 25,
  protection = 40,
  filetype = 4294967295,
  user = 4294967295,
  group = 4294967295,
  inode = 4294967295,
  device = 232508,
  nlink = 263868,
  size = 436166814044096,
  csize = 25398056,
  atime = 436384783398840,
  mtime = 939553087027116,
  ctime = 137439172227,
  fname = 0x1806418 "\030D\200\001\030d\204\001",
  name = 0xef <Address 0xef out of bounds>,
  filehand = 0x1808450
}
        candidates = (apr_array_header_t *) 0x5
        path = 0x200080 "0\002 "
        dirp = (struct apr_dir_t *) 0x0
        dirent = {
  pool = 0x18,
  valid = 25,
  protection = 40,
  filetype = 4294967295,
  user = 4294967295,
  group = 4294967295,
  inode = 4294967295,
  device = 232508,
  nlink = 263868,
  size = 436166814044096,
  csize = 25398056,
  atime = 436384783398840,
  mtime = 939553087027116,
  ctime = 137439172227,
  fname = 0x1806418 "\030D\200\001\030d\204\001",
  name = 0xef <Address 0xef out of bounds>,
  filehand = 0x1808450
}
        candidates = (apr_array_header_t *) 0x5
        path = 0x200080 "0\002 "
        dirp = (struct apr_dir_t *) 0x0
        dirent = {
  pool = 0x18,
  valid = 25,
  protection = 40,
  filetype = 4294967295,
  user = 4294967295,
  group = 4294967295,
  inode = 4294967295,
  device = 232508,
  nlink = 263868,
  size = 436166814044096,
  csize = 25398056,
  atime = 436384783398840,
  mtime = 939553087027116,
  ctime = 137439172227,
  fname = 0x1806418 "\030D\200\001\030d\204\001",
  name = 0xef <Address 0xef out of bounds>,
  filehand = 0x1808450
}
        candidates = (apr_array_header_t *) 0x5
        path = 0x200080 "0\002 "
#14 0x0001a1e3 in ap_read_config (process=0x18044a0, ptemp=0x1836418,
filename=0x35674 "conf/httpd.conf", conftree=0x3f0a8) at config.c:2004
        confname = 0x5d <Address 0x5d out of bounds>
        error = 0x5d <Address 0x5d out of bounds>
        p = (struct apr_pool_t *) 0x1806418
        s = (server_rec *) 0x180bda0
        process = (process_rec *) 0x1838b28
#15 0x0000326a in main (argc=3, argv=0xbffff940) at main.c:610
        c = 0 '\0'
        configtestonly = 0
        confname = 0x35674 "conf/httpd.conf"
        def_server_root = 0x35684 "/usr/local/apache2-crash"
        temp_error_log = 0x0
        error = 0x5d <Address 0x5d out of bounds>
        process = (process_rec *) 0x18044a0
        server_conf = (server_rec *) 0x18044a0
        pglobal = (struct apr_pool_t *) 0x1804418
        pconf = (struct apr_pool_t *) 0x1806418
        plog = (struct apr_pool_t *) 0x1834418
        ptemp = (struct apr_pool_t *) 0x1836418
        pcommands = (struct apr_pool_t *) 0x1808418
        opt = (apr_getopt_t *) 0x18084b0
        rv = 258216
        optarg = 0x79645f5f <Address 0x79645f5f out of bounds>
(gdb) info frame
Stack level 0, frame at 0xbfffe950:
 eip = 0x2da58 in compile_regex (pcre.c:2463); saved eip 0x2d6bf
 called by frame at 0xbfffeaf0
 source language c.
 Arglist at 0xbfffe948, args: options=0, oldims=0, brackets=0xbfffef94,
codeptr=0xbfffeac0, ptrptr=0xbfffeabc, errorptr=0xbfffefec, lookbehind=0,
skipbytes=0, firstbyteptr=0xbfffeab4, reqbyteptr=0xbfffeaac, bcptr=0xbfffeaa4,
cd=0xbfffef48
 Locals at 0xbfffe948, Previous frame's sp is 0xbfffe950
 Saved registers:
  ebx at 0xbfffe93c, ebp at 0xbfffe948, esi at 0xbfffe940, edi at 0xbfffe944,
eip at 0xbfffe94c
(gdb) info registers
eax            0x5d     93
ecx            0xbfffe8c8       -1073747768
edx            0x184946d        25465965
ebx            0x2d0e7  184551
esp            0xbfffe7b0       0xbfffe7b0
ebp            0xbfffe948       0xbfffe948
esi            0xbfffecf4       -1073746700
edi            0x10     16
eip            0x2da58  0x2da58
eflags         0x10246  66118
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) p *cd
$1 = {
  lcc = 0x3f2a0 "",
  fcc = 0x3f3a0 "",
  cbits = 0x3f4a0 "",
  ctypes = 0x3f5e0 "\200",
  start_code = 0x400a08 "P",
  start_pattern = 0x1849460 "^Apache=([^;,]+)|[;,][ \t]*Apache=([^;,]+)",
  name_table = 0x400a08 "P",
  names_found = 0,
  name_entry_size = 3,
  top_backref = 0,
  backref_map = 0,
  req_varyopt = 0,
  nopartial = 0
}

Hope this helps.
Comment 3 Ruediger Pluem 2006-12-30 01:27:57 UTC 
Thanks for the quick update, but to be honest at the moment I have no idea why
this happens.
Comment 4 Roberto C. Sanchez 2006-12-30 07:11:08 UTC 
No problem.  I don't understand either.  However, it appears that the embedded
version of pcre in the httpd source is version 5.0, which is now over two years
old.  I have apache successfully working with the latest upstream, version 7.0.
 Of course, this would need to be tested thouroughly to ensure that it does not
introduce any regressions.  I'd recommend updating the pcre included with httpd.
Comment 5 Nick Kew 2006-12-30 18:58:40 UTC 
This is an instance of a frequently-recurring problem that comes with bundling
*any* PCRE version.  The solution is to unbundle it.
Comment 6 Ian Holsman 2007-05-10 22:25:54 UTC 
is the 'solution' here to check at compile time on OS/X and refuse to build
unless the person has specified a external pcre?

The bug is marked as needsinfo. what other information is required?
Comment 7 William A. Rowe Jr. 2018-11-07 21:09:20 UTC 
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.