Bug 1126823 (CVE-2019-9023)

Summary: VUL-1: CVE-2019-9023: php5,php7,php53: a number of heap-based buffer over-read instances are present in mbstring regular expression functions
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gboiko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/225269/
Whiteboard: maint:released:sle10-sp3:64227
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-02-25 15:01:47 UTC
CVE-2019-9023

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read
instances are present in mbstring regular expression functions when supplied
with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c,
ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c,
ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c
when a multibyte regular expression pattern contains invalid multibyte
sequences.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9023
https://bugs.php.net/bug.php?id=77370
https://bugs.php.net/bug.php?id=77371
https://bugs.php.net/bug.php?id=77381
https://bugs.php.net/bug.php?id=77382
https://bugs.php.net/bug.php?id=77385
https://bugs.php.net/bug.php?id=77394
https://bugs.php.net/bug.php?id=77418
Comment 1 Robert Frohl 2019-02-25 15:02:31 UTC
Again all php versions in all codestream are affected:
- SUSE:SLE-10-SP3:Update
- SUSE:SLE-11:Update
- SUSE:SLE-11-SP3:Update
- SUSE:SLE-12:Update
- SUSE:SLE-15:Update
Comment 2 Petr Gajdos 2019-03-08 13:43:19 UTC
(In reply to Robert Frohl from comment #0)
> https://bugs.php.net/bug.php?id=77370

I can not reproduce in 15/php7 the issue with the testcase either with valgrind or asan, with or without file_get_contents(). I tried also valgrind with file_get_contents() in 12/php7, 12/php5, 11sp3/php53 and 11/php5. No success in reproduction.

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc

Can be applied in: 15/php7, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 3 Petr Gajdos 2019-03-11 14:25:18 UTC
(In reply to Robert Frohl from comment #0)
> https://bugs.php.net/bug.php?id=77371

BEFORE

15/php7: no relevant valgrind errors

12/php7:

$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));'
==21809== Invalid read of size 1
==21809==    at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21809==    by 0x6F7433F: memcpy (string3.h:51)
==21809==    by 0x6F7433F: add_bytes (regcomp.c:284)
==21809==    by 0x6F7433F: add_compile_string (regcomp.c:452)
==21809==    by 0x6F79465: compile_string_node (regcomp.c:541)
==21809==    by 0x6F79465: compile_tree (regcomp.c:1627)
==21809==    by 0x6F77C24: compile_tree (regcomp.c:1590)
==21809==    by 0x6F7BC84: onig_compile (regcomp.c:5390)
==21809==    by 0x6F7C533: onig_new (regcomp.c:5545)
==21809==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==21809==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==21809==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==21809==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==21809==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==21809==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==21809==  Address 0x6d2f588 is 0 bytes after a block of size 56 alloc'd
==21809==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==21809==    by 0x6F8B810: node_new (regparse.c:1129)
==21809==    by 0x6F8B810: node_new_str (regparse.c:1507)
==21809==    by 0x6F8B810: onig_node_new_str (regparse.c:1525)
==21809==    by 0x6F70A62: expand_case_fold_make_rem_string (regcomp.c:3237)
==21809==    by 0x6F7113C: expand_case_fold_string (regcomp.c:3463)
==21809==    by 0x6F7AF6A: setup_tree (regcomp.c:3686)
==21809==    by 0x6F7AF89: setup_tree (regcomp.c:3677)
==21809==    by 0x6F7B123: setup_tree (regcomp.c:3666)
==21809==    by 0x6F7B98E: onig_compile (regcomp.c:5335)
==21809==    by 0x6F7C533: onig_new (regcomp.c:5545)
==21809==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==21809==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==21809==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==21809==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==21809== 
bool(false)
$

12/php5, 11sp3/php53 and 11php5: no valgrind errors

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=28362ed4fae6969b5a8878591a5a06eadf114e03

AFTER

12/php7

$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));'
bool(false)
$
Comment 4 Petr Gajdos 2019-03-11 16:44:15 UTC
BEFORE
======

> https://bugs.php.net/bug.php?id=77381

15/php7: no relevant valgrind errors

12/php7, 12/php5, 11sp3/php53:

$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("000||0\xfa","0"));'
== Invalid read of size 1
==    at 0x6F7F670: match_at (regexec.c:1315)
==    by 0x6F85031: onig_search (regexec.c:3638)
==    by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
==    by 0x1DE05A: main (php_cli.c:1344)
==  Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd
==    at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F77DD1: add_opcode (regcomp.c:203)
==    by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275)
==    by 0x6F77DD1: compile_tree (regcomp.c:1610)
==    by 0x6F7BC84: onig_compile (regcomp.c:5391)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
== 
== Invalid read of size 1
==    at 0x6F7EF50: match_at (regexec.c:1315)
==    by 0x6F85031: onig_search (regexec.c:3638)
==    by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
==    by 0x1DE05A: main (php_cli.c:1344)
==  Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd
==    at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F77DD1: add_opcode (regcomp.c:203)
==    by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275)
==    by 0x6F77DD1: compile_tree (regcomp.c:1610)
==    by 0x6F7BC84: onig_compile (regcomp.c:5391)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
== 
== Invalid read of size 1
==    at 0x6F7F670: match_at (regexec.c:1315)
==    by 0x6F850A1: onig_search (regexec.c:3644)
==    by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
==    by 0x1DE05A: main (php_cli.c:1344)
==  Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd
==    at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F77DD1: add_opcode (regcomp.c:203)
==    by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275)
==    by 0x6F77DD1: compile_tree (regcomp.c:1610)
==    by 0x6F7BC84: onig_compile (regcomp.c:5391)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
== 
== Invalid read of size 1
==    at 0x6F7EF50: match_at (regexec.c:1315)
==    by 0x6F850A1: onig_search (regexec.c:3644)
==    by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
==    by 0x1DE05A: main (php_cli.c:1344)
==  Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd
==    at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F77DD1: add_opcode (regcomp.c:203)
==    by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275)
==    by 0x6F77DD1: compile_tree (regcomp.c:1610)
==    by 0x6F7BC84: onig_compile (regcomp.c:5391)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
== 
bool(false)
$

11/php5: no valgrind errors

> https://bugs.php.net/bug.php?id=77382

15/php7: no relevant valgrind errors

12/php7:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));'
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F94945: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11350)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F6AE: node_new (regparse.c:1129)
==    by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266)
==    by 0x6F8F6AE: parse_subexp (regparse.c:5504)
==    by 0x6F8DA3B: parse_enclose (regparse.c:4550)
==    by 0x6F8DA3B: parse_exp (regparse.c:5071)
==    by 0x6F8F4A8: parse_branch (regparse.c:5459)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F9495A: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11351)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F949A4: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11360)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F927C5: onig_st_lookup (st.c:249)
==    by 0x6F949A4: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11360)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F9485E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11329)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F6AE: node_new (regparse.c:1129)
==    by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266)
==    by 0x6F8F6AE: parse_subexp (regparse.c:5504)
==    by 0x6F8DA3B: parse_enclose (regparse.c:4550)
==    by 0x6F8DA3B: parse_exp (regparse.c:5071)
==    by 0x6F8F4A8: parse_branch (regparse.c:5459)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F94873: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11330)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F948CD: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11339)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F927C5: onig_st_lookup (st.c:249)
==    by 0x6F948CD: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11339)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F9426E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11187)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F6AE: node_new (regparse.c:1129)
==    by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266)
==    by 0x6F8F6AE: parse_subexp (regparse.c:5504)
==    by 0x6F8DA3B: parse_enclose (regparse.c:4550)
==    by 0x6F8DA3B: parse_exp (regparse.c:5071)
==    by 0x6F8F4A8: parse_branch (regparse.c:5459)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F9428F: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11219)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F947E7: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11312)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8B515: memcpy (string3.h:51)
==    by 0x6F8B515: onig_strcpy (regparse.c:223)
==    by 0x6F8B515: strcat_capa (regparse.c:297)
==    by 0x6F8B515: onig_node_str_cat (regparse.c:1448)
==    by 0x6F70CB5: expand_case_fold_string (regcomp.c:3416)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F6AE: node_new (regparse.c:1129)
==    by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266)
==    by 0x6F8F6AE: parse_subexp (regparse.c:5504)
==    by 0x6F8DA3B: parse_enclose (regparse.c:4550)
==    by 0x6F8DA3B: parse_exp (regparse.c:5071)
==    by 0x6F8F4A8: parse_branch (regparse.c:5459)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
bool(false)
$

12/php5, 11sp3/php53 and 11/php5: no valgrind errors

> https://bugs.php.net/bug.php?id=77385

15/php7: no relevant valgrind errors

12/php7:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F8BAC3: fetch_token (regparse.c:3160)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==  Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x389CFC: zend_string_alloc (zend_string.h:121)
==    by 0x389CFC: concat_function (zend_operators.c:1652)
==    by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827)
==    by 0x378378: zend_compile_binary_op (zend_compile.c:5934)
==    by 0x3769E0: zend_compile_expr (zend_compile.c:7171)
==    by 0x379BAA: zend_compile_args (zend_compile.c:2753)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x379CE8: zend_compile_args (zend_compile.c:2725)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x376D0A: zend_compile_expr (zend_compile.c:7153)
==    by 0x37E760: zend_compile_stmt (zend_compile.c:7122)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BAFF: fetch_token (regparse.c:3164)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F866B4: fetch_escaped_value (regparse.c:2427)
==    by 0x6F8C0DE: fetch_token (regparse.c:3584)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==  Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x389CFC: zend_string_alloc (zend_string.h:121)
==    by 0x389CFC: concat_function (zend_operators.c:1652)
==    by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827)
==    by 0x378378: zend_compile_binary_op (zend_compile.c:5934)
==    by 0x3769E0: zend_compile_expr (zend_compile.c:7171)
==    by 0x379BAA: zend_compile_args (zend_compile.c:2753)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x379CE8: zend_compile_args (zend_compile.c:2725)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x376D0A: zend_compile_expr (zend_compile.c:7153)
==    by 0x37E760: zend_compile_stmt (zend_compile.c:7122)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F866DC: fetch_escaped_value (regparse.c:2428)
==    by 0x6F8C0DE: fetch_token (regparse.c:3584)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F866E6: fetch_escaped_value (regparse.c:2428)
==    by 0x6F8C0DE: fetch_token (regparse.c:3584)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F866EC: fetch_escaped_value (regparse.c:2428)
==    by 0x6F8C0DE: fetch_token (regparse.c:3584)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8670A: conv_backslash_value (regparse.c:2110)
==    by 0x6F8670A: fetch_escaped_value (regparse.c:2480)
==    by 0x6F8C0DE: fetch_token (regparse.c:3584)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8C0EB: fetch_token (regparse.c:3587)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x4C2DEEE: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8B56F: memcpy (string3.h:51)
==    by 0x6F8B56F: onig_strcpy (regparse.c:223)
==    by 0x6F8B56F: onig_node_str_cat (regparse.c:1456)
==    by 0x6F8D279: parse_exp (regparse.c:5108)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==  Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x389CFC: zend_string_alloc (zend_string.h:121)
==    by 0x389CFC: concat_function (zend_operators.c:1652)
==    by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827)
==    by 0x378378: zend_compile_binary_op (zend_compile.c:5934)
==    by 0x3769E0: zend_compile_expr (zend_compile.c:7171)
==    by 0x379BAA: zend_compile_args (zend_compile.c:2753)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x379CE8: zend_compile_args (zend_compile.c:2725)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x376D0A: zend_compile_expr (zend_compile.c:7153)
==    by 0x37E760: zend_compile_stmt (zend_compile.c:7122)
== 
== Use of uninitialised value of size 8
==    at 0x6F7C1B3: set_bm_skip (regcomp.c:3913)
==    by 0x6F7C1B3: set_optimize_exact_info (regcomp.c:4907)
==    by 0x6F7C1B3: set_optimize_info_from_tree (regcomp.c:4991)
==    by 0x6F7C1B3: onig_compile (regcomp.c:5382)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==    by 0x433A7D: do_cli (php_cli.c:1005)
==    by 0x1DE05A: main (php_cli.c:1344)
== 
bool(false)
$

12/php5, 11sp3/php53, 11/php5: no valgrind errors

> https://bugs.php.net/bug.php?id=77394

15/php7: no relevant valgrind errors

12/php7:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8B9E4: fetch_token (regparse.c:3156)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8EC11: parse_exp (regparse.c:5081)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8B9F9: fetch_token (regparse.c:3602)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8EC11: parse_exp (regparse.c:5081)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BA3B: fetch_token (regparse.c:3619)
==    by 0x6F8D292: parse_exp (regparse.c:5104)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8EC11: parse_exp (regparse.c:5081)
==    by 0x6F8F424: parse_branch (regparse.c:5449)
==    by 0x6F8F584: parse_subexp (regparse.c:5486)
==    by 0x6F8F8F0: parse_regexp (regparse.c:5530)
==    by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557)
==    by 0x6F7B819: onig_compile (regcomp.c:5301)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F93CF6: onigenc_unicode_mbc_case_fold (unicode.c:11005)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241)
==    by 0x6F71067: expand_case_fold_string_alt (regcomp.c:3319)
==    by 0x6F71067: expand_case_fold_string (regcomp.c:3431)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Invalid read of size 1
==    at 0x6F95467: mbc_to_code (utf8.c:106)
==    by 0x6F93CD1: onigenc_unicode_mbc_case_fold (unicode.c:10990)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241)
==    by 0x6F7113C: expand_case_fold_string (regcomp.c:3464)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==  Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8B810: node_new (regparse.c:1129)
==    by 0x6F8B810: node_new_str (regparse.c:1507)
==    by 0x6F8B810: onig_node_new_str (regparse.c:1525)
==    by 0x6F70DB8: expand_case_fold_string_alt (regcomp.c:3289)
==    by 0x6F70DB8: expand_case_fold_string (regcomp.c:3431)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7AF89: setup_tree (regcomp.c:3678)
==    by 0x6F7B123: setup_tree (regcomp.c:3667)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F927BA: onig_st_lookup (st.c:249)
==    by 0x6F93CF6: onigenc_unicode_mbc_case_fold (unicode.c:11005)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241)
==    by 0x6F7113C: expand_case_fold_string (regcomp.c:3464)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Invalid read of size 1
==    at 0x6F93EF8: onigenc_unicode_mbc_case_fold (unicode.c:11026)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241)
==    by 0x6F7113C: expand_case_fold_string (regcomp.c:3464)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7B2F1: setup_tree (regcomp.c:3810)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8B810: node_new (regparse.c:1129)
==    by 0x6F8B810: node_new_str (regparse.c:1507)
==    by 0x6F8B810: onig_node_new_str (regparse.c:1525)
==    by 0x6F70DB8: expand_case_fold_string_alt (regcomp.c:3289)
==    by 0x6F70DB8: expand_case_fold_string (regcomp.c:3431)
==    by 0x6F7AF6A: setup_tree (regcomp.c:3687)
==    by 0x6F7AF89: setup_tree (regcomp.c:3678)
==    by 0x6F7B123: setup_tree (regcomp.c:3667)
==    by 0x6F7B98E: onig_compile (regcomp.c:5336)
==    by 0x6F7C533: onig_new (regcomp.c:5546)
==    by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
bool(false)
$

12/php5, 11sp3/php53, 11/php5: no valgrind errors


PATCH
=====

https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5


AFTER
=====

> https://bugs.php.net/bug.php?id=77381

12/php7, 12/php5, 11sp3/php53:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("000||0\xfa","0"));'
int(1)
$

> https://bugs.php.net/bug.php?id=77382

12/php7:
$ USE_ZEND_ALLOC=0 valgrind php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));'
== Memcheck, a memory error detector
== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
== Command: php -r var_dump(mb_ereg("(?i)000000000000000000000\\xf0",""));
== 
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F94A05: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11351)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F75E: node_new (regparse.c:1123)
==    by 0x6F8F75E: onig_node_new_alt (regparse.c:1260)
==    by 0x6F8F75E: parse_subexp (regparse.c:5500)
==    by 0x6F8DAEB: parse_enclose (regparse.c:4546)
==    by 0x6F8DAEB: parse_exp (regparse.c:5067)
==    by 0x6F8F558: parse_branch (regparse.c:5455)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F94A1A: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11352)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F94A64: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11361)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F92875: onig_st_lookup (st.c:249)
==    by 0x6F94A64: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11361)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F9491E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11330)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F75E: node_new (regparse.c:1123)
==    by 0x6F8F75E: onig_node_new_alt (regparse.c:1260)
==    by 0x6F8F75E: parse_subexp (regparse.c:5500)
==    by 0x6F8DAEB: parse_enclose (regparse.c:4546)
==    by 0x6F8DAEB: parse_exp (regparse.c:5067)
==    by 0x6F8F558: parse_branch (regparse.c:5455)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F94933: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11331)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F9498D: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11340)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F92875: onig_st_lookup (st.c:249)
==    by 0x6F9498D: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11340)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F9432E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11188)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==  Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8F75E: node_new (regparse.c:1123)
==    by 0x6F8F75E: onig_node_new_alt (regparse.c:1260)
==    by 0x6F8F75E: parse_subexp (regparse.c:5500)
==    by 0x6F8DAEB: parse_enclose (regparse.c:4546)
==    by 0x6F8DAEB: parse_exp (regparse.c:5067)
==    by 0x6F8F558: parse_branch (regparse.c:5455)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F9434F: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11220)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F948A7: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11313)
==    by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
bool(false)
$
[invalid read in onig_strcpy() went away]

> https://bugs.php.net/bug.php?id=77385

12/php7:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));'
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F8BB63: fetch_token (regparse.c:3154)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==  Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x389CFC: zend_string_alloc (zend_string.h:121)
==    by 0x389CFC: concat_function (zend_operators.c:1652)
==    by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827)
==    by 0x378378: zend_compile_binary_op (zend_compile.c:5934)
==    by 0x3769E0: zend_compile_expr (zend_compile.c:7171)
==    by 0x379BAA: zend_compile_args (zend_compile.c:2753)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x379CE8: zend_compile_args (zend_compile.c:2725)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x376D0A: zend_compile_expr (zend_compile.c:7153)
==    by 0x37E760: zend_compile_stmt (zend_compile.c:7122)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BB9F: fetch_token (regparse.c:3158)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F86754: fetch_escaped_value (regparse.c:2421)
==    by 0x6F8C17E: fetch_token (regparse.c:3578)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==  Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x389CFC: zend_string_alloc (zend_string.h:121)
==    by 0x389CFC: concat_function (zend_operators.c:1652)
==    by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827)
==    by 0x378378: zend_compile_binary_op (zend_compile.c:5934)
==    by 0x3769E0: zend_compile_expr (zend_compile.c:7171)
==    by 0x379BAA: zend_compile_args (zend_compile.c:2753)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x379CE8: zend_compile_args (zend_compile.c:2725)
==    by 0x379FBC: zend_compile_call_common (zend_compile.c:2832)
==    by 0x37AC98: zend_compile_call (zend_compile.c:3273)
==    by 0x376D0A: zend_compile_expr (zend_compile.c:7153)
==    by 0x37E760: zend_compile_stmt (zend_compile.c:7122)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8677C: fetch_escaped_value (regparse.c:2422)
==    by 0x6F8C17E: fetch_token (regparse.c:3578)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F86786: fetch_escaped_value (regparse.c:2422)
==    by 0x6F8C17E: fetch_token (regparse.c:3578)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8678C: fetch_escaped_value (regparse.c:2422)
==    by 0x6F8C17E: fetch_token (regparse.c:3578)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F867AA: conv_backslash_value (regparse.c:2104)
==    by 0x6F867AA: fetch_escaped_value (regparse.c:2474)
==    by 0x6F8C17E: fetch_token (regparse.c:3578)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8C18B: fetch_token (regparse.c:3581)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
== 
bool(false)
$
[invalid read in onig_strcpy() went away]

> https://bugs.php.net/bug.php?id=77385

12/php7:
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));'
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BA84: fetch_token (regparse.c:3150)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8ECC1: parse_exp (regparse.c:5077)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BA99: fetch_token (regparse.c:3598)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8ECC1: parse_exp (regparse.c:5077)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Conditional jump or move depends on uninitialised value(s)
==    at 0x6F8BADB: fetch_token (regparse.c:3615)
==    by 0x6F8D342: parse_exp (regparse.c:5100)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8ECC1: parse_exp (regparse.c:5077)
==    by 0x6F8F4D4: parse_branch (regparse.c:5445)
==    by 0x6F8F634: parse_subexp (regparse.c:5482)
==    by 0x6F8F9A0: parse_regexp (regparse.c:5526)
==    by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553)
==    by 0x6F7B8B9: onig_compile (regcomp.c:5300)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F93DC5: onigenc_unicode_mbc_case_fold (unicode.c:11006)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240)
==    by 0x6F71077: expand_case_fold_string_alt (regcomp.c:3318)
==    by 0x6F71077: expand_case_fold_string (regcomp.c:3430)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F93D84: onigenc_unicode_mbc_case_fold (unicode.c:10990)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240)
==    by 0x6F7114C: expand_case_fold_string (regcomp.c:3463)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==  Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd
==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==    by 0x6F8B8B0: node_new (regparse.c:1123)
==    by 0x6F8B8B0: node_new_str (regparse.c:1501)
==    by 0x6F8B8B0: onig_node_new_str (regparse.c:1519)
==    by 0x6F70DC8: expand_case_fold_string_alt (regcomp.c:3288)
==    by 0x6F70DC8: expand_case_fold_string (regcomp.c:3430)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B029: setup_tree (regcomp.c:3677)
==    by 0x6F7B1C3: setup_tree (regcomp.c:3666)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004)
==    by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442)
==    by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264)
==    by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554)
==    by 0x396F7D: zend_startup_module_ex (zend_API.c:1849)
== 
== Use of uninitialised value of size 8
==    at 0x6F9286A: onig_st_lookup (st.c:249)
==    by 0x6F93DC5: onigenc_unicode_mbc_case_fold (unicode.c:11006)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240)
==    by 0x6F7114C: expand_case_fold_string (regcomp.c:3463)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
== 
bool(false)
$
[invalid read in onigenc_unicode_mbc_case_fold() gone]
Comment 5 Petr Gajdos 2019-03-11 17:22:58 UTC
> https://bugs.php.net/bug.php?id=77418

BEFORE

15/php7, 12/php7
$ USE_ZEND_ALLOC=0 valgrind -q php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'
==15453== Conditional jump or move depends on uninitialised value(s)
==15453==    at 0x6F93AE7: onigenc_unicode_is_code_ctype (unicode.c:10750)
==15453==    by 0x6F7FBD5: match_at (regexec.c:1948)
==15453==    by 0x6F850D1: onig_search (regexec.c:3638)
==15453==    by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091)
==15453==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==15453==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==15453==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==15453==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453== 
==15453== Conditional jump or move depends on uninitialised value(s)
==15453==    at 0x6F7ACBC: onig_is_in_code_range (regcomp.c:5647)
==15453==    by 0x6F7FBD5: match_at (regexec.c:1948)
==15453==    by 0x6F850D1: onig_search (regexec.c:3638)
==15453==    by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091)
==15453==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==15453==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==15453==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==15453==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453== 
==15453== Invalid read of size 1
==15453==    at 0x6F97665: utf32be_mbc_to_code (utf32_be.c:63)
==15453==    by 0x6F7FBCA: match_at (regexec.c:1948)
==15453==    by 0x6F850D1: onig_search (regexec.c:3638)
==15453==    by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091)
==15453==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==15453==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==15453==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==15453==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453==  Address 0x6d91188 is 0 bytes after a block of size 56 alloc'd
==15453==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15453==    by 0x353FA8: zend_string_alloc (zend_string.h:121)
==15453==    by 0x353FA8: zend_string_init (zend_string.h:157)
==15453==    by 0x353FA8: zend_scan_escape_string (zend_language_scanner.l:895)
==15453==    by 0x359459: lex_scan (zend_language_scanner.l:2051)
==15453==    by 0x37094A: zendlex (zend_compile.c:1587)
==15453==    by 0x35098A: zendparse (zend_language_parser.c:4225)
==15453==    by 0x355A18: compile_string (zend_language_scanner.l:758)
==15453==    by 0x3855D8: zend_eval_stringl (zend_execute_API.c:1125)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453== 
==15453== Conditional jump or move depends on uninitialised value(s)
==15453==    at 0x6F93AE7: onigenc_unicode_is_code_ctype (unicode.c:10750)
==15453==    by 0x6F7FBFE: match_at (regexec.c:1949)
==15453==    by 0x6F850D1: onig_search (regexec.c:3638)
==15453==    by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091)
==15453==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==15453==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==15453==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==15453==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453== 
==15453== Conditional jump or move depends on uninitialised value(s)
==15453==    at 0x6F7ACBC: onig_is_in_code_range (regcomp.c:5647)
==15453==    by 0x6F7FBFE: match_at (regexec.c:1949)
==15453==    by 0x6F850D1: onig_search (regexec.c:3638)
==15453==    by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091)
==15453==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==15453==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)
==15453==    by 0x431FE2: zend_execute (zend_vm_execute.h:458)
==15453==    by 0x385636: zend_eval_stringl (zend_execute_API.c:1135)
==15453==    by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176)
==15453==    by 0x433A7D: do_cli (php_cli.c:1005)
==15453==    by 0x1DE05A: main (php_cli.c:1344)
==15453== 
array(1) {
  [0]=>
  string(30) "000000000000000000000000000000"
}
$

12/php5: conditional jumps

11sp3/php53, 11/php5: no valgrind errors


PATCH

https://gist.github.com/smalyshev/2b4a3c7d838e81f45f813090fe4db5ad


AFTER

15/php7, 12/php7, 12/php5

$ USE_ZEND_ALLOC=0 valgrind -q php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'
array(1) {
  [0]=>
  string(30) "000000000000000000000000000000"
}
$
Comment 6 Petr Gajdos 2019-03-11 20:04:13 UTC
== Invalid read of size 1
==    at 0x6F95527: mbc_to_code (utf8.c:106)
==    by 0x6F93D84: onigenc_unicode_mbc_case_fold (unicode.c:10990)
==    by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206)
==    by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240)
==    by 0x6F7114C: expand_case_fold_string (regcomp.c:3463)
==    by 0x6F7B00A: setup_tree (regcomp.c:3686)
==    by 0x6F7B391: setup_tree (regcomp.c:3809)
==    by 0x6F7BA2E: onig_compile (regcomp.c:5335)
==    by 0x6F7C5D3: onig_new (regcomp.c:5545)
==    by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456)
==    by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723)
==    by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==    by 0x3D5FAA: execute_ex (zend_vm_execute.h:414)

This should be also fixed for 12/php7 in php-CVE-2019-9023.patch.
Comment 7 Petr Gajdos 2019-03-11 20:04:38 UTC
Will submit for: 15/php7, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
Comment 8 Petr Gajdos 2019-03-11 21:04:03 UTC
I believe all fixed.
Comment 10 Swamp Workflow Management 2019-03-13 17:37:26 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-04-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64226
Comment 14 Swamp Workflow Management 2019-04-05 19:19:54 UTC
SUSE-SU-2019:14013-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1126711,1126713,1126821,1126823,1127122,1128722,1128883,1128886,1128887,1128889,1128892
CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.58.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.58.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.58.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.58.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-04-18 16:12:29 UTC
SUSE-SU-2019:0985-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1126711,1126713,1126821,1126823,1127122,1128722
CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9641
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.51.6
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.51.6
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.51.6

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-04-23 15:07:33 UTC
openSUSE-SU-2019:1256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1126711,1126713,1126821,1126823,1127122,1128722
CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9641
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-115.1
Comment 18 Swamp Workflow Management 2019-04-29 13:09:43 UTC
openSUSE-SU-2019:1293-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1126711,1126713,1126821,1126823,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032
CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-58.1
Comment 20 Swamp Workflow Management 2019-06-11 22:11:39 UTC
SUSE-SU-2019:1461-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.32.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    php7-7.2.5-4.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    php7-7.2.5-4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2019-06-18 16:38:02 UTC
openSUSE-SU-2019:1572-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.3.1
Comment 22 Swamp Workflow Management 2019-06-18 16:43:11 UTC
openSUSE-SU-2019:1573-1: An update that solves 16 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322
CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675
Sources used:
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.19.1
Comment 23 Marcus Meissner 2019-07-16 06:08:12 UTC
done
Comment 26 OBSbugzilla Bot 2020-05-12 08:00:53 UTC
This is an autogenerated message for OBS integration:
This bug (1126823) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7
Comment 27 OBSbugzilla Bot 2020-05-12 14:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (1126823) was mentioned in
https://build.opensuse.org/request/show/802978 Factory / php7
Comment 28 OBSbugzilla Bot 2020-05-13 08:20:34 UTC
This is an autogenerated message for OBS integration:
This bug (1126823) was mentioned in
https://build.opensuse.org/request/show/804946 Factory / php7