php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81240 Conditional jump or move in preg_match
Submitted: 2021-07-09 12:44 UTC Modified: 2021-07-09 13:07 UTC
From: danack@php.net Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 8.1Git-2021-07-09 (Git) OS: Debian
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: danack@php.net
New email:
PHP Version: OS:

 

 [2021-07-09 12:44 UTC] danack@php.net 
Description:
------------
It appears there is a read from uninitialized memory somewhere in preg_match.

This doesn't happen when php is configured with --enable-debug so the backtrace is a bit useless.


# USE_ZEND_ALLOC=0 valgrind --track-origins=yes php debug.php
==314== Memcheck, a memory error detector
==314== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==314== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==314== Command: php debug.php
==314==
==314== Conditional jump or move depends on uninitialised value(s)
==314==    at 0x407FAAD: ???
==314==    by 0xDE0BE27: ???
==314==    by 0xDE0BE27: ???
==314==    by 0xDE0BE2D: ???
==314==    by 0xD979B9F: ???
==314==    by 0xDE0BE27: ???
==314==  Uninitialised value was created by a heap allocation
==314==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==314==    by 0x4B49D8: __zend_malloc (zend_alloc.c:3043)
==314==    by 0x560CCC: zend_string_alloc (zend_string.h:141)
==314==    by 0x560CCC: zend_string_init (zend_string.h:163)
==314==    by 0x560CCC: zend_new_interned_string_request (zend_string.c:245)
==314==    by 0x4BB051: zval_make_interned_string (zend_compile.c:507)
==314==    by 0x4BB051: zend_insert_literal (zend_compile.c:519)
==314==    by 0x4BB051: zend_add_literal (zend_compile.c:540)
==314==    by 0x4BB101: zend_emit_op (zend_compile.c:2099)
==314==    by 0x4C83F7: zend_compile_args.part.58 (zend_compile.c:3631)
==314==    by 0x4C8B32: zend_compile_args (zend_compile.c:3680)
==314==    by 0x4C8B32: zend_compile_call_common (zend_compile.c:3684)
==314==    by 0x4C92AB: zend_compile_call (zend_compile.c:4471)
==314==    by 0x4C8144: zend_compile_var_inner (zend_compile.c:10063)
==314==    by 0x4C8144: zend_compile_var (zend_compile.c:10089)
==314==    by 0x4C45D8: zend_compile_expr_inner (zend_compile.c:9924)
==314==    by 0x4C45D8: zend_compile_expr (zend_compile.c:10044)
==314==    by 0x4CC6EF: zend_compile_stmt (zend_compile.c:9886)
==314==    by 0x4CFD1B: zend_compile_top_stmt (zend_compile.c:9773)

Test script:
---------------
<?php

preg_match('/(a)(b)*(c)/', 'xxxxxx', $matches);
var_dump($matches);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-09 13:07 UTC] danack@php.net
-Status: Open +Status: Not a bug
 [2021-07-09 13:07 UTC] danack@php.net 
Compiling in debug mode enables valgrind support for PCRE: https://github.com/php/php-src/blob/a80360dbed1232e2a6e871fb892670464aab8c56/ext/pcre/config0.m4#L102-L107

aka makes it less likely that valgrind would report an invalid error.

As that makes the difference, this is likely not an actual bug.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 12:01:29 2025 UTC