php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73612 preg_*() may leak memory
Submitted: 2016-11-26 14:12 UTC Modified: 2016-11-26 14:25 UTC
From: cmb@php.net Assigned: cmb
Status: Closed Package: PCRE related
PHP Version: 7.0Git-2016-11-26 (Git) OS: *
Private report: No CVE-ID:
 [2016-11-26 14:12 UTC] cmb@php.net
Description:
------------
As has been pointed out by Nikita[1], as of PHP 7.0.0 zval_dtor()
is actually the same as zval_ptr_dtor_nogc(). Therefore
preg_match() and some other PCRE functions may leak memory if
objects are passed as $matches and $count, respectively.

[1] <http://news.php.net/php.internals/97197>


Test script:
---------------
<?php

$obj = new stdClass;
$obj->obj = $obj;
preg_match('/./', 'x', $obj);

$obj = new stdClass;
$obj->obj = $obj;
preg_replace('/./', '', 'x', -1, $obj);

$obj = new stdClass;
$obj->obj = $obj;
preg_replace_callback('/./', 'array_merge', 'x', -1, $obj);

$obj = new stdClass;
$obj->obj = $obj;
preg_replace_callback_array(['/./' => 'array_merge'], 'x', -1, $obj);

$obj = new stdClass;
$obj->obj = $obj;
preg_filter('/./', '', 'x', -1, $obj);


Actual result:
--------------
[Sat Nov 26 14:03:38 2016]  Script:  '/vagrant/leak.php'
/vagrant/php-src/Zend/zend_objects.c(162) :  Freeing 0x7FF12465ECD0 (40 bytes), script=/vagrant/leak.php
Last leak repeated 4 times
=== Total 5 memory leaks detected ===


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-26 14:25 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-11-26 15:18 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=003727d851da770c60555a2aecf6d82497b04f42
Log: Fix #73612: preg_*() may leak memory
 [2016-11-26 15:18 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2016-11-30 23:13 UTC] davey@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=003727d851da770c60555a2aecf6d82497b04f42
Log: Fix #73612: preg_*() may leak memory
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC