memory leak zend_language_scanner zend_language_parser

[YuanchengJiang]

Description

The following code:

<?php
try {
function main() {
for ($i = 0; $i < 10000; $i++) {
$code .= '  return function() {' . PHP_EOL;
}
try {
eval($code);
} catch (ParseError $e) {
main();
}
}
main();
} catch (\Throwable $_ffl_e) {}

Resulted in this output:

=================================================================
==3757835==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 100007 byte(s) in 1 object(s) allocated from:
    #0 0x6807ad in malloc (/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php+0x6807ad)
    #1 0x6301ff9 in zendparse /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_language_parser.c:5488:11
    #2 0x6368092 in zend_compile /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_language_scanner.l:602:7
    #3 0x637087d in compile_string /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_language_scanner.l:829:13
    #4 0x606a21d in zend_include_or_eval /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_execute.c:5379:20
    #5 0x5c8166c in ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_vm_execute.h:40195:17
    #6 0x59bbfcb in execute_ex /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_vm_execute.h:110228:12
    #7 0x59be4f3 in zend_execute /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend_vm_execute.h:115646:2
    #8 0x66b1389 in zend_execute_script /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/Zend/zend.c:1972:3
    #9 0x4f0ce8a in php_execute_script_ex /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/main/main.c:2655:13
    #10 0x4f0e3c8 in php_execute_script /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/main/main.c:2695:9
    #11 0x66c5359 in do_cli /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php_cli.c:947:5
    #12 0x66bf82f in main /home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php_cli.c:1370:18
    #13 0x7fa3138f7d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: 100007 byte(s) leaked in 1 allocation(s).

To reproduce:

/home/fuzz/WorkSpace/fusion-fuzz/projects/php/php-src/sapi/cli/php  ./test.php

Commit:

fd8eaaf153f958c66068e3bc71b950ee33cb56e8

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This bug was found by fusion-fuzz

PHP Version

nightly

Operating System

No response

[iliaal]

This only leaks on the memory_limit path. The bison parser stack for the 10000-deep nesting is heap-allocated (YYSTACK_ALLOC -> malloc), and when the memory limit aborts compilation mid-parse, zend_bailout() longjmps out of zendparse() before YYSTACK_FREE runs. A normal parse, or the parser hitting its own depth limit (the catchable "memory exhausted" ParseError), frees the stack. So it's confined to the OOM bailout, where the request is already terminating, and isn't reachable in normal operation.