Bugzilla – Bug 1126823
VUL-1: CVE-2019-9023: php5,php7,php53: a number of heap-based buffer over-read instances are present in mbstring regular expression functions
Last modified: 2023-10-26 10:35:29 UTC
CVE-2019-9023 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9023 https://bugs.php.net/bug.php?id=77370 https://bugs.php.net/bug.php?id=77371 https://bugs.php.net/bug.php?id=77381 https://bugs.php.net/bug.php?id=77382 https://bugs.php.net/bug.php?id=77385 https://bugs.php.net/bug.php?id=77394 https://bugs.php.net/bug.php?id=77418
Again all php versions in all codestream are affected: - SUSE:SLE-10-SP3:Update - SUSE:SLE-11:Update - SUSE:SLE-11-SP3:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update
(In reply to Robert Frohl from comment #0) > https://bugs.php.net/bug.php?id=77370 I can not reproduce in 15/php7 the issue with the testcase either with valgrind or asan, with or without file_get_contents(). I tried also valgrind with file_get_contents() in 12/php7, 12/php5, 11sp3/php53 and 11/php5. No success in reproduction. PATCH http://git.php.net/?p=php-src.git;a=commit;h=20407d06ca3cb5eeb10f876a812b40c381574bcc Can be applied in: 15/php7, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
(In reply to Robert Frohl from comment #0) > https://bugs.php.net/bug.php?id=77371 BEFORE 15/php7: no relevant valgrind errors 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));' ==21809== Invalid read of size 1 ==21809== at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==21809== by 0x6F7433F: memcpy (string3.h:51) ==21809== by 0x6F7433F: add_bytes (regcomp.c:284) ==21809== by 0x6F7433F: add_compile_string (regcomp.c:452) ==21809== by 0x6F79465: compile_string_node (regcomp.c:541) ==21809== by 0x6F79465: compile_tree (regcomp.c:1627) ==21809== by 0x6F77C24: compile_tree (regcomp.c:1590) ==21809== by 0x6F7BC84: onig_compile (regcomp.c:5390) ==21809== by 0x6F7C533: onig_new (regcomp.c:5545) ==21809== by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) ==21809== by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) ==21809== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==21809== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==21809== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==21809== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==21809== Address 0x6d2f588 is 0 bytes after a block of size 56 alloc'd ==21809== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==21809== by 0x6F8B810: node_new (regparse.c:1129) ==21809== by 0x6F8B810: node_new_str (regparse.c:1507) ==21809== by 0x6F8B810: onig_node_new_str (regparse.c:1525) ==21809== by 0x6F70A62: expand_case_fold_make_rem_string (regcomp.c:3237) ==21809== by 0x6F7113C: expand_case_fold_string (regcomp.c:3463) ==21809== by 0x6F7AF6A: setup_tree (regcomp.c:3686) ==21809== by 0x6F7AF89: setup_tree (regcomp.c:3677) ==21809== by 0x6F7B123: setup_tree (regcomp.c:3666) ==21809== by 0x6F7B98E: onig_compile (regcomp.c:5335) ==21809== by 0x6F7C533: onig_new (regcomp.c:5545) ==21809== by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) ==21809== by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) ==21809== by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) ==21809== by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) ==21809== bool(false) $ 12/php5, 11sp3/php53 and 11php5: no valgrind errors PATCH http://git.php.net/?p=php-src.git;a=commit;h=28362ed4fae6969b5a8878591a5a06eadf114e03 AFTER 12/php7 $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));' bool(false) $
BEFORE ====== > https://bugs.php.net/bug.php?id=77381 15/php7: no relevant valgrind errors 12/php7, 12/php5, 11sp3/php53: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("000||0\xfa","0"));' == Invalid read of size 1 == at 0x6F7F670: match_at (regexec.c:1315) == by 0x6F85031: onig_search (regexec.c:3638) == by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == by 0x1DE05A: main (php_cli.c:1344) == Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd == at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F77DD1: add_opcode (regcomp.c:203) == by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275) == by 0x6F77DD1: compile_tree (regcomp.c:1610) == by 0x6F7BC84: onig_compile (regcomp.c:5391) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == == Invalid read of size 1 == at 0x6F7EF50: match_at (regexec.c:1315) == by 0x6F85031: onig_search (regexec.c:3638) == by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == by 0x1DE05A: main (php_cli.c:1344) == Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd == at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F77DD1: add_opcode (regcomp.c:203) == by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275) == by 0x6F77DD1: compile_tree (regcomp.c:1610) == by 0x6F7BC84: onig_compile (regcomp.c:5391) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == == Invalid read of size 1 == at 0x6F7F670: match_at (regexec.c:1315) == by 0x6F850A1: onig_search (regexec.c:3644) == by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == by 0x1DE05A: main (php_cli.c:1344) == Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd == at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F77DD1: add_opcode (regcomp.c:203) == by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275) == by 0x6F77DD1: compile_tree (regcomp.c:1610) == by 0x6F7BC84: onig_compile (regcomp.c:5391) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == == Invalid read of size 1 == at 0x6F7EF50: match_at (regexec.c:1315) == by 0x6F850A1: onig_search (regexec.c:3644) == by 0x6FBE1F9: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:732) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == by 0x1DE05A: main (php_cli.c:1344) == Address 0x6d91f08 is 12 bytes after a block of size 28 alloc'd == at 0x4C2B41E: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F77DD1: add_opcode (regcomp.c:203) == by 0x6F77DD1: add_opcode_rel_addr (regcomp.c:275) == by 0x6F77DD1: compile_tree (regcomp.c:1610) == by 0x6F7BC84: onig_compile (regcomp.c:5391) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == bool(false) $ 11/php5: no valgrind errors > https://bugs.php.net/bug.php?id=77382 15/php7: no relevant valgrind errors 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));' == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F94945: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11350) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F6AE: node_new (regparse.c:1129) == by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266) == by 0x6F8F6AE: parse_subexp (regparse.c:5504) == by 0x6F8DA3B: parse_enclose (regparse.c:4550) == by 0x6F8DA3B: parse_exp (regparse.c:5071) == by 0x6F8F4A8: parse_branch (regparse.c:5459) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F9495A: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11351) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F949A4: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11360) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F927C5: onig_st_lookup (st.c:249) == by 0x6F949A4: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11360) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F9485E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11329) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F6AE: node_new (regparse.c:1129) == by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266) == by 0x6F8F6AE: parse_subexp (regparse.c:5504) == by 0x6F8DA3B: parse_enclose (regparse.c:4550) == by 0x6F8DA3B: parse_exp (regparse.c:5071) == by 0x6F8F4A8: parse_branch (regparse.c:5459) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F94873: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11330) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F948CD: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11339) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F927C5: onig_st_lookup (st.c:249) == by 0x6F948CD: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11339) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F9426E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11187) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F6AE: node_new (regparse.c:1129) == by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266) == by 0x6F8F6AE: parse_subexp (regparse.c:5504) == by 0x6F8DA3B: parse_enclose (regparse.c:4550) == by 0x6F8DA3B: parse_exp (regparse.c:5071) == by 0x6F8F4A8: parse_branch (regparse.c:5459) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F9428F: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11219) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F947E7: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11312) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3387) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x4C2DEE0: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8B515: memcpy (string3.h:51) == by 0x6F8B515: onig_strcpy (regparse.c:223) == by 0x6F8B515: strcat_capa (regparse.c:297) == by 0x6F8B515: onig_node_str_cat (regparse.c:1448) == by 0x6F70CB5: expand_case_fold_string (regcomp.c:3416) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F6AE: node_new (regparse.c:1129) == by 0x6F8F6AE: onig_node_new_alt (regparse.c:1266) == by 0x6F8F6AE: parse_subexp (regparse.c:5504) == by 0x6F8DA3B: parse_enclose (regparse.c:4550) == by 0x6F8DA3B: parse_exp (regparse.c:5071) == by 0x6F8F4A8: parse_branch (regparse.c:5459) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == bool(false) $ 12/php5, 11sp3/php53 and 11/php5: no valgrind errors > https://bugs.php.net/bug.php?id=77385 15/php7: no relevant valgrind errors 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));' == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F8BAC3: fetch_token (regparse.c:3160) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x389CFC: zend_string_alloc (zend_string.h:121) == by 0x389CFC: concat_function (zend_operators.c:1652) == by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827) == by 0x378378: zend_compile_binary_op (zend_compile.c:5934) == by 0x3769E0: zend_compile_expr (zend_compile.c:7171) == by 0x379BAA: zend_compile_args (zend_compile.c:2753) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x379CE8: zend_compile_args (zend_compile.c:2725) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x376D0A: zend_compile_expr (zend_compile.c:7153) == by 0x37E760: zend_compile_stmt (zend_compile.c:7122) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BAFF: fetch_token (regparse.c:3164) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F866B4: fetch_escaped_value (regparse.c:2427) == by 0x6F8C0DE: fetch_token (regparse.c:3584) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x389CFC: zend_string_alloc (zend_string.h:121) == by 0x389CFC: concat_function (zend_operators.c:1652) == by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827) == by 0x378378: zend_compile_binary_op (zend_compile.c:5934) == by 0x3769E0: zend_compile_expr (zend_compile.c:7171) == by 0x379BAA: zend_compile_args (zend_compile.c:2753) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x379CE8: zend_compile_args (zend_compile.c:2725) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x376D0A: zend_compile_expr (zend_compile.c:7153) == by 0x37E760: zend_compile_stmt (zend_compile.c:7122) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F866DC: fetch_escaped_value (regparse.c:2428) == by 0x6F8C0DE: fetch_token (regparse.c:3584) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F866E6: fetch_escaped_value (regparse.c:2428) == by 0x6F8C0DE: fetch_token (regparse.c:3584) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F866EC: fetch_escaped_value (regparse.c:2428) == by 0x6F8C0DE: fetch_token (regparse.c:3584) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8670A: conv_backslash_value (regparse.c:2110) == by 0x6F8670A: fetch_escaped_value (regparse.c:2480) == by 0x6F8C0DE: fetch_token (regparse.c:3584) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8C0EB: fetch_token (regparse.c:3587) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x4C2DEEE: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8B56F: memcpy (string3.h:51) == by 0x6F8B56F: onig_strcpy (regparse.c:223) == by 0x6F8B56F: onig_node_str_cat (regparse.c:1456) == by 0x6F8D279: parse_exp (regparse.c:5108) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x389CFC: zend_string_alloc (zend_string.h:121) == by 0x389CFC: concat_function (zend_operators.c:1652) == by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827) == by 0x378378: zend_compile_binary_op (zend_compile.c:5934) == by 0x3769E0: zend_compile_expr (zend_compile.c:7171) == by 0x379BAA: zend_compile_args (zend_compile.c:2753) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x379CE8: zend_compile_args (zend_compile.c:2725) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x376D0A: zend_compile_expr (zend_compile.c:7153) == by 0x37E760: zend_compile_stmt (zend_compile.c:7122) == == Use of uninitialised value of size 8 == at 0x6F7C1B3: set_bm_skip (regcomp.c:3913) == by 0x6F7C1B3: set_optimize_exact_info (regcomp.c:4907) == by 0x6F7C1B3: set_optimize_info_from_tree (regcomp.c:4991) == by 0x6F7C1B3: onig_compile (regcomp.c:5382) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) == by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) == by 0x433A7D: do_cli (php_cli.c:1005) == by 0x1DE05A: main (php_cli.c:1344) == bool(false) $ 12/php5, 11sp3/php53, 11/php5: no valgrind errors > https://bugs.php.net/bug.php?id=77394 15/php7: no relevant valgrind errors 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));' == Conditional jump or move depends on uninitialised value(s) == at 0x6F8B9E4: fetch_token (regparse.c:3156) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8EC11: parse_exp (regparse.c:5081) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8B9F9: fetch_token (regparse.c:3602) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8EC11: parse_exp (regparse.c:5081) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BA3B: fetch_token (regparse.c:3619) == by 0x6F8D292: parse_exp (regparse.c:5104) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8EC11: parse_exp (regparse.c:5081) == by 0x6F8F424: parse_branch (regparse.c:5449) == by 0x6F8F584: parse_subexp (regparse.c:5486) == by 0x6F8F8F0: parse_regexp (regparse.c:5530) == by 0x6F8F8F0: onig_parse_make_tree (regparse.c:5557) == by 0x6F7B819: onig_compile (regcomp.c:5301) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F93CF6: onigenc_unicode_mbc_case_fold (unicode.c:11005) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241) == by 0x6F71067: expand_case_fold_string_alt (regcomp.c:3319) == by 0x6F71067: expand_case_fold_string (regcomp.c:3431) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Invalid read of size 1 == at 0x6F95467: mbc_to_code (utf8.c:106) == by 0x6F93CD1: onigenc_unicode_mbc_case_fold (unicode.c:10990) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241) == by 0x6F7113C: expand_case_fold_string (regcomp.c:3464) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8B810: node_new (regparse.c:1129) == by 0x6F8B810: node_new_str (regparse.c:1507) == by 0x6F8B810: onig_node_new_str (regparse.c:1525) == by 0x6F70DB8: expand_case_fold_string_alt (regcomp.c:3289) == by 0x6F70DB8: expand_case_fold_string (regcomp.c:3431) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7AF89: setup_tree (regcomp.c:3678) == by 0x6F7B123: setup_tree (regcomp.c:3667) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F927BA: onig_st_lookup (st.c:249) == by 0x6F93CF6: onigenc_unicode_mbc_case_fold (unicode.c:11005) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241) == by 0x6F7113C: expand_case_fold_string (regcomp.c:3464) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Invalid read of size 1 == at 0x6F93EF8: onigenc_unicode_mbc_case_fold (unicode.c:11026) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3207) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3241) == by 0x6F7113C: expand_case_fold_string (regcomp.c:3464) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7B2F1: setup_tree (regcomp.c:3810) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FBE045: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE1C0: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8B810: node_new (regparse.c:1129) == by 0x6F8B810: node_new_str (regparse.c:1507) == by 0x6F8B810: onig_node_new_str (regparse.c:1525) == by 0x6F70DB8: expand_case_fold_string_alt (regcomp.c:3289) == by 0x6F70DB8: expand_case_fold_string (regcomp.c:3431) == by 0x6F7AF6A: setup_tree (regcomp.c:3687) == by 0x6F7AF89: setup_tree (regcomp.c:3678) == by 0x6F7B123: setup_tree (regcomp.c:3667) == by 0x6F7B98E: onig_compile (regcomp.c:5336) == by 0x6F7C533: onig_new (regcomp.c:5546) == by 0x6FB4729: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB4729: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4356: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == bool(false) $ 12/php5, 11sp3/php53, 11/php5: no valgrind errors PATCH ===== https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5 AFTER ===== > https://bugs.php.net/bug.php?id=77381 12/php7, 12/php5, 11sp3/php53: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("000||0\xfa","0"));' int(1) $ > https://bugs.php.net/bug.php?id=77382 12/php7: $ USE_ZEND_ALLOC=0 valgrind php -r 'var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));' == Memcheck, a memory error detector == Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. == Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info == Command: php -r var_dump(mb_ereg("(?i)000000000000000000000\\xf0","")); == == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F94A05: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11351) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F75E: node_new (regparse.c:1123) == by 0x6F8F75E: onig_node_new_alt (regparse.c:1260) == by 0x6F8F75E: parse_subexp (regparse.c:5500) == by 0x6F8DAEB: parse_enclose (regparse.c:4546) == by 0x6F8DAEB: parse_exp (regparse.c:5067) == by 0x6F8F558: parse_branch (regparse.c:5455) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F94A1A: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11352) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F94A64: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11361) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F92875: onig_st_lookup (st.c:249) == by 0x6F94A64: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11361) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F9491E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11330) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F75E: node_new (regparse.c:1123) == by 0x6F8F75E: onig_node_new_alt (regparse.c:1260) == by 0x6F8F75E: parse_subexp (regparse.c:5500) == by 0x6F8DAEB: parse_enclose (regparse.c:4546) == by 0x6F8DAEB: parse_exp (regparse.c:5067) == by 0x6F8F558: parse_branch (regparse.c:5455) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F94933: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11331) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F9498D: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11340) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F92875: onig_st_lookup (st.c:249) == by 0x6F9498D: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11340) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F9432E: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11188) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == Address 0x6d2e4b8 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8F75E: node_new (regparse.c:1123) == by 0x6F8F75E: onig_node_new_alt (regparse.c:1260) == by 0x6F8F75E: parse_subexp (regparse.c:5500) == by 0x6F8DAEB: parse_enclose (regparse.c:4546) == by 0x6F8DAEB: parse_exp (regparse.c:5067) == by 0x6F8F558: parse_branch (regparse.c:5455) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F9434F: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11220) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F948A7: onigenc_unicode_get_case_fold_codes_by_str (unicode.c:11313) == by 0x6F70CEE: expand_case_fold_string (regcomp.c:3386) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == bool(false) $ [invalid read in onig_strcpy() went away] > https://bugs.php.net/bug.php?id=77385 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("0000\\"."\xf5","0"));' == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F8BB63: fetch_token (regparse.c:3154) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x389CFC: zend_string_alloc (zend_string.h:121) == by 0x389CFC: concat_function (zend_operators.c:1652) == by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827) == by 0x378378: zend_compile_binary_op (zend_compile.c:5934) == by 0x3769E0: zend_compile_expr (zend_compile.c:7171) == by 0x379BAA: zend_compile_args (zend_compile.c:2753) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x379CE8: zend_compile_args (zend_compile.c:2725) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x376D0A: zend_compile_expr (zend_compile.c:7153) == by 0x37E760: zend_compile_stmt (zend_compile.c:7122) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BB9F: fetch_token (regparse.c:3158) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F86754: fetch_escaped_value (regparse.c:2421) == by 0x6F8C17E: fetch_token (regparse.c:3578) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == Address 0x6d91ae0 is 0 bytes after a block of size 32 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x389CFC: zend_string_alloc (zend_string.h:121) == by 0x389CFC: concat_function (zend_operators.c:1652) == by 0x378378: zend_try_ct_eval_binary_op (zend_compile.c:5827) == by 0x378378: zend_compile_binary_op (zend_compile.c:5934) == by 0x3769E0: zend_compile_expr (zend_compile.c:7171) == by 0x379BAA: zend_compile_args (zend_compile.c:2753) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x379CE8: zend_compile_args (zend_compile.c:2725) == by 0x379FBC: zend_compile_call_common (zend_compile.c:2832) == by 0x37AC98: zend_compile_call (zend_compile.c:3273) == by 0x376D0A: zend_compile_expr (zend_compile.c:7153) == by 0x37E760: zend_compile_stmt (zend_compile.c:7122) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8677C: fetch_escaped_value (regparse.c:2422) == by 0x6F8C17E: fetch_token (regparse.c:3578) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F86786: fetch_escaped_value (regparse.c:2422) == by 0x6F8C17E: fetch_token (regparse.c:3578) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8678C: fetch_escaped_value (regparse.c:2422) == by 0x6F8C17E: fetch_token (regparse.c:3578) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F867AA: conv_backslash_value (regparse.c:2104) == by 0x6F867AA: fetch_escaped_value (regparse.c:2474) == by 0x6F8C17E: fetch_token (regparse.c:3578) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8C18B: fetch_token (regparse.c:3581) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == by 0x431FE2: zend_execute (zend_vm_execute.h:458) == bool(false) $ [invalid read in onig_strcpy() went away] > https://bugs.php.net/bug.php?id=77385 12/php7: $ USE_ZEND_ALLOC=0 valgrind -q php -r 'var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));' == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BA84: fetch_token (regparse.c:3150) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8ECC1: parse_exp (regparse.c:5077) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BA99: fetch_token (regparse.c:3598) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8ECC1: parse_exp (regparse.c:5077) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Conditional jump or move depends on uninitialised value(s) == at 0x6F8BADB: fetch_token (regparse.c:3615) == by 0x6F8D342: parse_exp (regparse.c:5100) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8ECC1: parse_exp (regparse.c:5077) == by 0x6F8F4D4: parse_branch (regparse.c:5445) == by 0x6F8F634: parse_subexp (regparse.c:5482) == by 0x6F8F9A0: parse_regexp (regparse.c:5526) == by 0x6F8F9A0: onig_parse_make_tree (regparse.c:5553) == by 0x6F7B8B9: onig_compile (regcomp.c:5300) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F93DC5: onigenc_unicode_mbc_case_fold (unicode.c:11006) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240) == by 0x6F71077: expand_case_fold_string_alt (regcomp.c:3318) == by 0x6F71077: expand_case_fold_string (regcomp.c:3430) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == == Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F93D84: onigenc_unicode_mbc_case_fold (unicode.c:10990) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240) == by 0x6F7114C: expand_case_fold_string (regcomp.c:3463) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == Address 0x6d2f108 is 0 bytes after a block of size 56 alloc'd == at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) == by 0x6F8B8B0: node_new (regparse.c:1123) == by 0x6F8B8B0: node_new_str (regparse.c:1501) == by 0x6F8B8B0: onig_node_new_str (regparse.c:1519) == by 0x6F70DC8: expand_case_fold_string_alt (regcomp.c:3288) == by 0x6F70DC8: expand_case_fold_string (regcomp.c:3430) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B029: setup_tree (regcomp.c:3677) == by 0x6F7B1C3: setup_tree (regcomp.c:3666) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FB47E9: _php_mb_compile_regex (mbstring.c:1004) == by 0x6FB47E9: OnUpdate_mbstring_http_output_conv_mimetypes (mbstring.c:1442) == by 0x3AD92B: zend_register_ini_entries (zend_ini.c:264) == by 0x6FB4416: zm_startup_mbstring (mbstring.c:1554) == by 0x396F7D: zend_startup_module_ex (zend_API.c:1849) == == Use of uninitialised value of size 8 == at 0x6F9286A: onig_st_lookup (st.c:249) == by 0x6F93DC5: onigenc_unicode_mbc_case_fold (unicode.c:11006) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240) == by 0x6F7114C: expand_case_fold_string (regcomp.c:3463) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) == bool(false) $ [invalid read in onigenc_unicode_mbc_case_fold() gone]
> https://bugs.php.net/bug.php?id=77418 BEFORE 15/php7, 12/php7 $ USE_ZEND_ALLOC=0 valgrind -q php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));' ==15453== Conditional jump or move depends on uninitialised value(s) ==15453== at 0x6F93AE7: onigenc_unicode_is_code_ctype (unicode.c:10750) ==15453== by 0x6F7FBD5: match_at (regexec.c:1948) ==15453== by 0x6F850D1: onig_search (regexec.c:3638) ==15453== by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091) ==15453== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==15453== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==15453== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==15453== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== ==15453== Conditional jump or move depends on uninitialised value(s) ==15453== at 0x6F7ACBC: onig_is_in_code_range (regcomp.c:5647) ==15453== by 0x6F7FBD5: match_at (regexec.c:1948) ==15453== by 0x6F850D1: onig_search (regexec.c:3638) ==15453== by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091) ==15453== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==15453== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==15453== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==15453== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== ==15453== Invalid read of size 1 ==15453== at 0x6F97665: utf32be_mbc_to_code (utf32_be.c:63) ==15453== by 0x6F7FBCA: match_at (regexec.c:1948) ==15453== by 0x6F850D1: onig_search (regexec.c:3638) ==15453== by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091) ==15453== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==15453== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==15453== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==15453== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== Address 0x6d91188 is 0 bytes after a block of size 56 alloc'd ==15453== at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==15453== by 0x353FA8: zend_string_alloc (zend_string.h:121) ==15453== by 0x353FA8: zend_string_init (zend_string.h:157) ==15453== by 0x353FA8: zend_scan_escape_string (zend_language_scanner.l:895) ==15453== by 0x359459: lex_scan (zend_language_scanner.l:2051) ==15453== by 0x37094A: zendlex (zend_compile.c:1587) ==15453== by 0x35098A: zendparse (zend_language_parser.c:4225) ==15453== by 0x355A18: compile_string (zend_language_scanner.l:758) ==15453== by 0x3855D8: zend_eval_stringl (zend_execute_API.c:1125) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== ==15453== Conditional jump or move depends on uninitialised value(s) ==15453== at 0x6F93AE7: onigenc_unicode_is_code_ctype (unicode.c:10750) ==15453== by 0x6F7FBFE: match_at (regexec.c:1949) ==15453== by 0x6F850D1: onig_search (regexec.c:3638) ==15453== by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091) ==15453== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==15453== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==15453== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==15453== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== ==15453== Conditional jump or move depends on uninitialised value(s) ==15453== at 0x6F7ACBC: onig_is_in_code_range (regcomp.c:5647) ==15453== by 0x6F7FBFE: match_at (regexec.c:1949) ==15453== by 0x6F850D1: onig_search (regexec.c:3638) ==15453== by 0x6FBFDD8: zif_mb_split (php_mbregex.c:1091) ==15453== by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) ==15453== by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) ==15453== by 0x431FE2: zend_execute (zend_vm_execute.h:458) ==15453== by 0x385636: zend_eval_stringl (zend_execute_API.c:1135) ==15453== by 0x3857B8: zend_eval_stringl_ex (zend_execute_API.c:1176) ==15453== by 0x433A7D: do_cli (php_cli.c:1005) ==15453== by 0x1DE05A: main (php_cli.c:1344) ==15453== array(1) { [0]=> string(30) "000000000000000000000000000000" } $ 12/php5: conditional jumps 11sp3/php53, 11/php5: no valgrind errors PATCH https://gist.github.com/smalyshev/2b4a3c7d838e81f45f813090fe4db5ad AFTER 15/php7, 12/php7, 12/php5 $ USE_ZEND_ALLOC=0 valgrind -q php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));' array(1) { [0]=> string(30) "000000000000000000000000000000" } $
== Invalid read of size 1 == at 0x6F95527: mbc_to_code (utf8.c:106) == by 0x6F93D84: onigenc_unicode_mbc_case_fold (unicode.c:10990) == by 0x6F70AFA: update_string_node_case_fold (regcomp.c:3206) == by 0x6F70AFA: expand_case_fold_make_rem_string (regcomp.c:3240) == by 0x6F7114C: expand_case_fold_string (regcomp.c:3463) == by 0x6F7B00A: setup_tree (regcomp.c:3686) == by 0x6F7B391: setup_tree (regcomp.c:3809) == by 0x6F7BA2E: onig_compile (regcomp.c:5335) == by 0x6F7C5D3: onig_new (regcomp.c:5545) == by 0x6FBE105: php_mbregex_compile_pattern (php_mbregex.c:456) == by 0x6FBE280: _php_mb_regex_ereg_exec.isra.4 (php_mbregex.c:723) == by 0x3E32BC: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586) == by 0x3D5FAA: execute_ex (zend_vm_execute.h:414) This should be also fixed for 12/php7 in php-CVE-2019-9023.patch.
Will submit for: 15/php7, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.
I believe all fixed.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-04-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64226
SUSE-SU-2019:14013-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1126711,1126713,1126821,1126823,1127122,1128722,1128883,1128886,1128887,1128889,1128892 CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-112.58.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-112.58.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.58.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.58.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0985-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1126711,1126713,1126821,1126823,1127122,1128722 CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9641 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.51.6 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.51.6 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.51.6 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1256-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1126711,1126713,1126821,1126823,1127122,1128722 CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9641 Sources used: openSUSE Leap 42.3 (src): php5-5.5.14-115.1
openSUSE-SU-2019:1293-1: An update that solves 11 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1126711,1126713,1126821,1126823,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032 CVE References: CVE-2018-20783,CVE-2019-9020,CVE-2019-9021,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675 Sources used: openSUSE Leap 42.3 (src): php7-7.0.7-58.1
SUSE-SU-2019:1461-1: An update that solves 16 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322 CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675 Sources used: SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.32.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): php7-7.2.5-4.32.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): php7-7.2.5-4.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1572-1: An update that solves 16 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322 CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.3.1
openSUSE-SU-2019:1573-1: An update that solves 16 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1118832,1119396,1126711,1126713,1126821,1126823,1126827,1127122,1128722,1128883,1128886,1128887,1128889,1128892,1129032,1132837,1132838,1134322 CVE References: CVE-2018-19935,CVE-2018-20783,CVE-2019-11034,CVE-2019-11035,CVE-2019-11036,CVE-2019-9020,CVE-2019-9021,CVE-2019-9022,CVE-2019-9023,CVE-2019-9024,CVE-2019-9637,CVE-2019-9638,CVE-2019-9639,CVE-2019-9640,CVE-2019-9641,CVE-2019-9675 Sources used: openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.19.1
done
This is an autogenerated message for OBS integration: This bug (1126823) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1126823) was mentioned in https://build.opensuse.org/request/show/802978 Factory / php7
This is an autogenerated message for OBS integration: This bug (1126823) was mentioned in https://build.opensuse.org/request/show/804946 Factory / php7
This is an autogenerated message for OBS integration: This bug (1126823) was mentioned in https://build.opensuse.org/request/show/1120490 Backports:SLE-15-SP5 / php81