PHP :: Bug #69149 :: The PCRE extension crashes seeminglessly due to memory leaks or double free

Bug #69149

The PCRE extension crashes seeminglessly due to memory leaks or double free

Submitted:

2015-02-28 23:18 UTC

Modified:

2015-06-24 16:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

gregory at luni dot fr

Assigned:

ab (profile)

Status:

Closed

Package:

*Regular Expressions

PHP Version:

master-Git-2015-02-28 (Git)

OS:

OSX, Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	gregory at luni dot fr
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-02-28 23:18 UTC] gregory at luni dot fr

Description:
------------
There is an error on the PCRE extension and memory management, I can't determine exactly what's happening, I have These 2 types of messages :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

This is the configure command I used on my mac :

./configure --prefix=$HOME/tmp/usr --with-config-file-path=$HOME/tmp/usr/etc --enable-mbstring --enable-zip --enable-bcmath --enable-pcntl --enable-ftp --enable-exif --enable-calendar --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-curl --with-mcrypt --with-iconv --with-gmp --with-gd --with-jpeg-dir=/usr/local/opt/jpeg/include/ --with-png-dir=/usr/local/opt/libpng/include/ --with-zlib-dir=/usr --with-freetype-dir=/usr --with-t1lib=/usr --enable-gd-native-ttf --enable-gd-jis-conv --with-openssl --with-pdo-mysql=mysqlnd --with-gettext=/usr/local/opt/gettext/ --with-zlib=/usr --with-bz2=/usr --with-recode=/usr --with-mysqli=mysqlnd --enable-debug --enable-maintainer-mode

I'm using OSX 10.10 Yosemite, with the latest master (34ff6bbb0df152694e648161b149d41270fccdcb).

Test script:
---------------
<?php

$buffer = 'public function test(){return true;}';

preg_match('/(?:public|protected|private|final|abstract|static)*?'
    . '\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm',
        $buffer, $matches);

var_dump($matches[0]);

Expected result:
----------------
string(36) "public function test(){return true;}"


Actual result:
--------------
Either :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Or either :

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-02-28 23:19 UTC] gregory at luni dot fr

-Summary: The PCRE extension crashes +Summary: The PCRE extension crashes seeminglessly due to memory leaks or double free

[2015-02-28 23:19 UTC] gregory at luni dot fr

Changed title

[2015-02-28 23:49 UTC] gregory at luni dot fr

Added backtrace :

(gdb) backtrace
#0  0x00007fff9b897286 in __pthread_kill () from /usr/lib/system/libsystem_kernel.dylib
#1  0x00007fff9631942f in pthread_kill () from /usr/lib/system/libsystem_pthread.dylib
#2  0x00007fff8d8d3b53 in abort () from /usr/lib/system/libsystem_c.dylib
#3  0x00007fff8d89bc39 in __assert_rtn () from /usr/lib/system/libsystem_c.dylib
#4  0x000000010071c97c in zend_function_dtor (zv=0x7fff5fbfe058) at Zend/zend_opcode.c:122
#5  0x000000010074b680 in _zend_hash_del_el_ex (ht=0x101413a70, idx=1462, p=0x101854ac0, prev=0x0) at Zend/zend_hash.c:845
#6  0x000000010074cb69 in _zend_hash_del_el (ht=0x101413a70, idx=1462, p=0x101854ac0) at Zend/zend_hash.c:869
#7  0x000000010074d33c in zend_hash_reverse_apply (ht=0x101413a70, apply_func=0x1007151a0 <clean_non_persistent_function>) at Zend/zend_hash.c:1384
#8  0x0000000100714e59 in shutdown_executor () at Zend/zend_execute_API.c:345
#9  0x000000010073349e in zend_deactivate () at Zend/zend.c:890
#10 0x00000001006823d2 in php_request_shutdown (dummy=0x0) at main/main.c:1850
#11 0x00000001007fe1be in do_cli (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1156
#12 0x00000001007fc313 in main (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1355

[2015-03-01 00:15 UTC] gregory at luni dot fr

the error does not occur with this similar regex :

/(?:(?:public|protected|private)\s+)(?:(?:final|abstract|static)\s+)?\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm

[2015-03-01 15:27 UTC] laruence@php.net

-Status: Open +Status: Verified

[2015-03-01 15:27 UTC] laruence@php.net

seems it's a bug in pcrelib .. anyway, must related to pcre jit we introduced recently.

php -d pcre.jit=0 runs fine..

==6629== Invalid write of size 8
==6629==    at 0x4DEDE6: _pcre_jit_compile (pcre_jit_compile.c:10313)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)
==6629==    by 0xAE349D: do_cli (php_cli.c:979)
==6629==    by 0xAE452E: main (php_cli.c:1355)
==6629==  Address 0x11a2bc88 is 24 bytes before a block of size 120 alloc'd
==6629==    at 0x4A078B8: malloc (vg_replace_malloc.c:270)
==6629==    by 0x4B701C: sljit_create_compiler (sljitLir.c:335)
==6629==    by 0x4DD55B: _pcre_jit_compile (pcre_jit_compile.c:9964)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)

[2015-03-04 07:37 UTC] hzmester at freemail dot hu

Which pcre version? As far as I remember 8.35 has an alternative compiling bug.

[2015-03-04 11:09 UTC] gregory at luni dot fr

This is what the php7 -i command returns about PCRE :

pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.36 2014-09-26
PCRE JIT Support => enabled

Directive => Local Value => Master Value
pcre.backtrack_limit => 1000000 => 1000000
pcre.jit => 1 => 1
pcre.recursion_limit => 100000 => 100000

The version is 8.36, maybe this bug wasn't fixed since 8.35.

[2015-03-04 18:47 UTC] hzmester at freemail dot hu

This is a valid bug and related to the alternative compiling again, but with recursion. E.g: /(?:a|b|c|d|e)(?R)/ I try to fix it soon. Thank you for finding it.

[2015-03-05 09:14 UTC] hzmester at freemail dot hu

Fixed in PCRE r1530. I will port the patch to PCRE2 soon. Thank you for the report.

[2015-06-24 16:02 UTC] ab@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: ab

[2015-06-24 16:02 UTC] ab@php.net

This fixed with the upgrade to PCRE 8.37.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 17:00:01 2025 UTC