preg_match causes Conditional jump or move depends on uninitialised value(s) issue

[navisoft]

Description

The following code:

zval matches, matched, _router, function, _3args[3];

ZVAL_STRING(&function, "preg_match");

ZVAL_NULL(&matches);

ZVAL_STRING(&_3args[0], "/\\/hello\\//");
ZVAL_STRING(&_3args[1], "foo");
ZVAL_NEW_REF(&_3args[2], &matches);

call_user_function(NULL, NULL, &function, &matched, 3, _3args);
zval_ptr_dtor(&function);
zval_ptr_dtor(&_3args[0]);
zval_ptr_dtor(&_3args[1]);
zval_ptr_dtor(&_3args[2]);

php_var_dump(&matched, 1);

zval_ptr_dtor(&matched);
zval_ptr_dtor(&matches);

valgrind command:

ZEND_DONT_UNLOAD_MODULES=1 USE_ZEND_ALLOC=0 valgrind --leak-check=full --show-reachable=no --track-origins=yes --log-file=test/output.txt /root/php-bin/DEBUG/bin/php -S localhost:8000 test/index.php

valgrind output:

==9882== Conditional jump or move depends on uninitialised value(s)
==9882==    at 0x2E4B94: ffcps_0 (pcre2_jit_neon_inc.h:308)
==9882==    by 0xF736D0F: ???
==9882==  Uninitialised value was created by a heap allocation
==9882==    at 0x484EFC8: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==9882==    by 0x6E79C7: __zend_malloc (zend_alloc.c:3056)
==9882==    by 0x6E649B: _malloc_custom (zend_alloc.c:2418)
==9882==    by 0x6E660F: _emalloc (zend_alloc.c:2537)
==9882==    by 0x72A8887: zend_string_alloc (zend_string.h:144)
==9882==    by 0x72A88F7: zend_string_init (zend_string.h:166)
==9882==    by 0x72ABA4F: ___construct (test.c:418)
==9882==    by 0x76651B: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1755)
==9882==    by 0x7E8E9F: execute_ex (zend_vm_execute.h:55172)
==9882==    by 0x7ED5A7: zend_execute (zend_vm_execute.h:59499)
==9882==    by 0x725AAB: zend_execute_scripts (zend.c:1694)
==9882==    by 0x83DF3F: php_cli_server_dispatch_router (php_cli_server.c:2168)

The issue will not happen if the subject is matched with the pattern:

ZVAL_STRING(&_3args[1], "/hello/");

Or some case likes this (even it doesn't match):

ZVAL_STRING(&_3args[1], "/hello");

PHP Version

PHP 8.0.21-dev

Operating System

No response

[nikic]

You need to compile PCRE with valgrind support, which requires a) a debug build and b) valgrind available at time of compilation. Otherwise, you need to use suppressions to avoid false positives from PCRE.

[navisoft]

You need to compile PCRE with valgrind support, which requires a) a debug build and b) valgrind available at time of compilation. Otherwise, you need to use suppressions to avoid false positives from PCRE.

Thanks @nikic for the suggestion, it help me to resolve the issue.