php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81240 Conditional jump or move in preg_match
Submitted: 2021-07-09 12:44 UTC Modified: 2021-07-09 13:07 UTC
From: danack@php.net Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 8.1Git-2021-07-09 (Git) OS: Debian
Private report: No CVE-ID: None
 [2021-07-09 12:44 UTC] danack@php.net
Description:
------------
It appears there is a read from uninitialized memory somewhere in preg_match.

This doesn't happen when php is configured with --enable-debug so the backtrace is a bit useless.


# USE_ZEND_ALLOC=0 valgrind --track-origins=yes php debug.php
==314== Memcheck, a memory error detector
==314== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==314== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==314== Command: php debug.php
==314==
==314== Conditional jump or move depends on uninitialised value(s)
==314==    at 0x407FAAD: ???
==314==    by 0xDE0BE27: ???
==314==    by 0xDE0BE27: ???
==314==    by 0xDE0BE2D: ???
==314==    by 0xD979B9F: ???
==314==    by 0xDE0BE27: ???
==314==  Uninitialised value was created by a heap allocation
==314==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==314==    by 0x4B49D8: __zend_malloc (zend_alloc.c:3043)
==314==    by 0x560CCC: zend_string_alloc (zend_string.h:141)
==314==    by 0x560CCC: zend_string_init (zend_string.h:163)
==314==    by 0x560CCC: zend_new_interned_string_request (zend_string.c:245)
==314==    by 0x4BB051: zval_make_interned_string (zend_compile.c:507)
==314==    by 0x4BB051: zend_insert_literal (zend_compile.c:519)
==314==    by 0x4BB051: zend_add_literal (zend_compile.c:540)
==314==    by 0x4BB101: zend_emit_op (zend_compile.c:2099)
==314==    by 0x4C83F7: zend_compile_args.part.58 (zend_compile.c:3631)
==314==    by 0x4C8B32: zend_compile_args (zend_compile.c:3680)
==314==    by 0x4C8B32: zend_compile_call_common (zend_compile.c:3684)
==314==    by 0x4C92AB: zend_compile_call (zend_compile.c:4471)
==314==    by 0x4C8144: zend_compile_var_inner (zend_compile.c:10063)
==314==    by 0x4C8144: zend_compile_var (zend_compile.c:10089)
==314==    by 0x4C45D8: zend_compile_expr_inner (zend_compile.c:9924)
==314==    by 0x4C45D8: zend_compile_expr (zend_compile.c:10044)
==314==    by 0x4CC6EF: zend_compile_stmt (zend_compile.c:9886)
==314==    by 0x4CFD1B: zend_compile_top_stmt (zend_compile.c:9773)

Test script:
---------------
<?php

preg_match('/(a)(b)*(c)/', 'xxxxxx', $matches);
var_dump($matches);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-09 13:07 UTC] danack@php.net
-Status: Open +Status: Not a bug
 [2021-07-09 13:07 UTC] danack@php.net
Compiling in debug mode enables valgrind support for PCRE: https://github.com/php/php-src/blob/a80360dbed1232e2a6e871fb892670464aab8c56/ext/pcre/config0.m4#L102-L107

aka makes it less likely that valgrind would report an invalid error.

As that makes the difference, this is likely not an actual bug.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Jan 19 21:03:36 2022 UTC