Prevent regex cache reuse when JIT flag does not match php.ini

mvorisek · mvorisek · commit 77e72f58fe62 · 2023-08-11T23:34:12.000+02:00
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
@@ -41,6 +41,8 @@
 
 #define PREG_JIT                    (1<<3)
 
+#define PREG_JIT_ATTEMPTED          (1<<4)
+
 #define PCRE_CACHE_SIZE 4096
 
 struct _pcre_cache_entry {
@@ -618,7 +620,12 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 	char				*p, *pp;
 	char				*pattern;
 	size_t				 pattern_len;
+#ifdef HAVE_PCRE_JIT_SUPPORT
+    bool				 jit_enabled = PCRE_G(jit);
+	uint32_t			 poptions = jit_enabled ? PREG_JIT_ATTEMPTED : 0;
+#else
 	uint32_t			 poptions = 0;
+#endif
 	const uint8_t       *tables = NULL;
 	zval                *zv;
 	pcre_cache_entry	 new_entry;
@@ -638,10 +645,19 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 	   back the compiled pattern, otherwise go on and compile it. */
 	zv = zend_hash_find(&PCRE_G(pcre_cache), key);
 	if (zv) {
-		if (key != regex) {
-			zend_string_release_ex(key, 0);
+		pcre_cache_entry *pce = (pcre_cache_entry*)Z_PTR_P(zv);
+#ifdef HAVE_PCRE_JIT_SUPPORT
+		if ((bool)(pce->preg_options & PREG_JIT_ATTEMPTED) == jit_enabled) {
+#endif
+			if (key != regex) {
+				zend_string_release_ex(key, 0);
+			}
+			return pce;
+#ifdef HAVE_PCRE_JIT_SUPPORT
+		} else {
+			zend_hash_del(&PCRE_G(pcre_cache), key);
 		}
-		return (pcre_cache_entry*)Z_PTR_P(zv);
+#endif
 	}
 
 	p = ZSTR_VAL(regex);
@@ -821,7 +837,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, in
 	}
 
 #ifdef HAVE_PCRE_JIT_SUPPORT
-	if (PCRE_G(jit)) {
+	if (jit_enabled) {
 		/* Enable PCRE JIT compiler */
 		rc = pcre2_jit_compile(re, PCRE2_JIT_COMPLETE);
 		if (EXPECTED(rc >= 0)) {
diff --git a/ext/pcre/tests/gh11374.phpt b/ext/pcre/tests/gh11374.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-11374 PCRE cache entry must not be reused when PCRE JIT flag has changed
+--SKIPIF--
+<?php
+if (ini_get("pcre.jit") === false) {
+    die("skip no jit built");
+}
+--FILE--
+<?php
+
+// testing if PCRE cache entry was reused or not is not possible from userland, so instead we test
+// if PCRE JIT flag can be cleared and the pcre_match pass
+
+foreach ([true, false, true] as $pcreJit) {
+    ini_set('pcre.jit', $pcreJit ? '1' : '0');
+    var_dump(ini_get('pcre.jit'));
+
+    var_dump(preg_match('/^a(b+)/', 'abbc', $matches));
+    var_dump($matches === ['abb', 'bb']);
+}
+
+?>
+--EXPECT--
+string(1) "1"
+int(1)
+bool(true)
+string(1) "0"
+int(1)
+bool(true)
+string(1) "1"
+int(1)
+bool(true)
