PHP :: Bug #69149 :: The PCRE extension crashes seeminglessly due to memory leaks or double free

Bug #69149

The PCRE extension crashes seeminglessly due to memory leaks or double free

Submitted:

2015-02-28 23:18 UTC

Modified:

2015-06-24 16:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

gregory at luni dot fr

Assigned:

ab (profile)

Status:

Closed

Package:

*Regular Expressions

PHP Version:

master-Git-2015-02-28 (Git)

OS:

OSX, Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gregory at luni dot fr
New email:
PHP Version:		OS:

New Comment:

[2015-02-28 23:18 UTC] gregory at luni dot fr

Description:
------------
There is an error on the PCRE extension and memory management, I can't determine exactly what's happening, I have These 2 types of messages :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

This is the configure command I used on my mac :

./configure --prefix=$HOME/tmp/usr --with-config-file-path=$HOME/tmp/usr/etc --enable-mbstring --enable-zip --enable-bcmath --enable-pcntl --enable-ftp --enable-exif --enable-calendar --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-wddx --with-curl --with-mcrypt --with-iconv --with-gmp --with-gd --with-jpeg-dir=/usr/local/opt/jpeg/include/ --with-png-dir=/usr/local/opt/libpng/include/ --with-zlib-dir=/usr --with-freetype-dir=/usr --with-t1lib=/usr --enable-gd-native-ttf --enable-gd-jis-conv --with-openssl --with-pdo-mysql=mysqlnd --with-gettext=/usr/local/opt/gettext/ --with-zlib=/usr --with-bz2=/usr --with-recode=/usr --with-mysqli=mysqlnd --enable-debug --enable-maintainer-mode

I'm using OSX 10.10 Yosemite, with the latest master (34ff6bbb0df152694e648161b149d41270fccdcb).

Test script:
---------------
<?php

$buffer = 'public function test(){return true;}';

preg_match('/(?:public|protected|private|final|abstract|static)*?'
    . '\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm',
        $buffer, $matches);

var_dump($matches[0]);

Expected result:
----------------
string(36) "public function test(){return true;}"


Actual result:
--------------
Either :

php7(42118,0x7fff7e1dd300) malloc: *** error for object 0x7f8022f02b28: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Or either :

Assertion failed: (function->type == 1), function zend_function_dtor, file /Users/gplanchat/CLionProjects/php-src/Zend/zend_opcode.c, line 122.
Abort trap: 6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-02-28 23:19 UTC] gregory at luni dot fr

-Summary: The PCRE extension crashes +Summary: The PCRE extension crashes seeminglessly due to memory leaks or double free

[2015-02-28 23:19 UTC] gregory at luni dot fr

Changed title

[2015-02-28 23:49 UTC] gregory at luni dot fr

Added backtrace :

(gdb) backtrace
#0  0x00007fff9b897286 in __pthread_kill () from /usr/lib/system/libsystem_kernel.dylib
#1  0x00007fff9631942f in pthread_kill () from /usr/lib/system/libsystem_pthread.dylib
#2  0x00007fff8d8d3b53 in abort () from /usr/lib/system/libsystem_c.dylib
#3  0x00007fff8d89bc39 in __assert_rtn () from /usr/lib/system/libsystem_c.dylib
#4  0x000000010071c97c in zend_function_dtor (zv=0x7fff5fbfe058) at Zend/zend_opcode.c:122
#5  0x000000010074b680 in _zend_hash_del_el_ex (ht=0x101413a70, idx=1462, p=0x101854ac0, prev=0x0) at Zend/zend_hash.c:845
#6  0x000000010074cb69 in _zend_hash_del_el (ht=0x101413a70, idx=1462, p=0x101854ac0) at Zend/zend_hash.c:869
#7  0x000000010074d33c in zend_hash_reverse_apply (ht=0x101413a70, apply_func=0x1007151a0 <clean_non_persistent_function>) at Zend/zend_hash.c:1384
#8  0x0000000100714e59 in shutdown_executor () at Zend/zend_execute_API.c:345
#9  0x000000010073349e in zend_deactivate () at Zend/zend.c:890
#10 0x00000001006823d2 in php_request_shutdown (dummy=0x0) at main/main.c:1850
#11 0x00000001007fe1be in do_cli (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1156
#12 0x00000001007fc313 in main (argc=2, argv=0x101413760) at sapi/cli/php_cli.c:1355

[2015-03-01 00:15 UTC] gregory at luni dot fr

the error does not occur with this similar regex :

/(?:(?:public|protected|private)\s+)(?:(?:final|abstract|static)\s+)?\s+function\s+test\([^\)]*\)\s*(?:\{(?:[^{}]*|(?R))*\})/sm

[2015-03-01 15:27 UTC] laruence@php.net

-Status: Open +Status: Verified

[2015-03-01 15:27 UTC] laruence@php.net

seems it's a bug in pcrelib .. anyway, must related to pcre jit we introduced recently.

php -d pcre.jit=0 runs fine..

==6629== Invalid write of size 8
==6629==    at 0x4DEDE6: _pcre_jit_compile (pcre_jit_compile.c:10313)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)
==6629==    by 0xAE349D: do_cli (php_cli.c:979)
==6629==    by 0xAE452E: main (php_cli.c:1355)
==6629==  Address 0x11a2bc88 is 24 bytes before a block of size 120 alloc'd
==6629==    at 0x4A078B8: malloc (vg_replace_malloc.c:270)
==6629==    by 0x4B701C: sljit_create_compiler (sljitLir.c:335)
==6629==    by 0x4DD55B: _pcre_jit_compile (pcre_jit_compile.c:9964)
==6629==    by 0x4B532E: php_pcre_study (pcre_study.c:1585)
==6629==    by 0x4E440D: pcre_get_compiled_regex_cache (php_pcre.c:420)
==6629==    by 0x4E4F46: php_do_pcre_match (php_pcre.c:570)
==6629==    by 0x4E6861: zif_preg_match (php_pcre.c:904)
==6629==    by 0xA86BE2: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:511)
==6629==    by 0xA863E8: execute_ex (zend_vm_execute.h:352)
==6629==    by 0xA86543: zend_execute (zend_vm_execute.h:381)
==6629==    by 0xA36775: zend_execute_scripts (zend.c:1282)
==6629==    by 0x9A8220: php_execute_script (main.c:2527)

[2015-03-04 07:37 UTC] hzmester at freemail dot hu

Which pcre version? As far as I remember 8.35 has an alternative compiling bug.

[2015-03-04 11:09 UTC] gregory at luni dot fr

This is what the php7 -i command returns about PCRE :

pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.36 2014-09-26
PCRE JIT Support => enabled

Directive => Local Value => Master Value
pcre.backtrack_limit => 1000000 => 1000000
pcre.jit => 1 => 1
pcre.recursion_limit => 100000 => 100000

The version is 8.36, maybe this bug wasn't fixed since 8.35.

[2015-03-04 18:47 UTC] hzmester at freemail dot hu

This is a valid bug and related to the alternative compiling again, but with recursion. E.g: /(?:a|b|c|d|e)(?R)/ I try to fix it soon. Thank you for finding it.

[2015-03-05 09:14 UTC] hzmester at freemail dot hu

Fixed in PCRE r1530. I will port the patch to PCRE2 soon. Thank you for the report.

[2015-06-24 16:02 UTC] ab@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: ab

[2015-06-24 16:02 UTC] ab@php.net

This fixed with the upgrade to PCRE 8.37.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 18:01:29 2024 UTC