ext/pcre: preg_match() fix memory leak with invalid regexes.

devnexen · devnexen · commit 6c45f7a000bc · 2026-02-24T22:19:27.000Z
close GH-21290
diff --git a/NEWS b/NEWS
@@ -55,6 +55,9 @@ PHP                                                                        NEWS
   . Fixed pcntl_signal_dispatch() stale pointer and exception
     handling. (David Carlier)
 
+- PCRE:
+  . Fixed preg_match memory leak with invalid regexes. (David Carlier)
+
 - PDO_PGSQL:
   . Fixed bug GH-21055 (connection attribute status typo for GSS negotiation).
     (lsaos)
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
@@ -1489,7 +1489,8 @@ ZEND_FRAMELESS_FUNCTION(preg_match, 2)
 	/* Compile regex or get it from cache. */
 	pcre_cache_entry *pce;
 	if ((pce = pcre_get_compiled_regex_cache(regex)) == NULL) {
-		RETURN_FALSE;
+		RETVAL_FALSE;
+		goto flf_clean;
 	}
 
 	pce->refcount++;
diff --git a/ext/pcre/tests/preg_match_frameless_leak.phpt b/ext/pcre/tests/preg_match_frameless_leak.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Memory leak in preg_match() frameless function with invalid regex and object arguments
+--FILE--
+<?php
+class Str {
+    private $val;
+    public function __construct($val) {
+        $this->val = $val;
+    }
+    public function __toString() {
+        return $this->val;
+    }
+}
+
+$regex = new Str("invalid regex");
+$subject = new Str("some subject");
+
+// Running in a loop to ensure leak detection if run with memory tools
+for ($i = 0; $i < 100; $i++) {
+    @preg_match($regex, $subject);
+}
+
+echo "Done";
+?>
+--EXPECT--
+Done

Original file line number	Diff line number	Diff line change
`@@ -1489,7 +1489,8 @@ ZEND_FRAMELESS_FUNCTION(preg_match, 2)`
`1489`	`1489`	`/* Compile regex or get it from cache. */`
`1490`	`1490`	`pcre_cache_entry *pce;`
`1491`	`1491`	`if ((pce = pcre_get_compiled_regex_cache(regex)) == NULL) {`
`1492`		`- RETURN_FALSE;`
	`1492`	`+ RETVAL_FALSE;`
	`1493`	`+ goto flf_clean;`
`1493`	`1494`	`}`
`1494`	`1495`
`1495`	`1496`	`pce->refcount++;`