ASan negative-size-param in preg_match_all() with \C + UTF-8 multibyte input #21134
Description
Description
The following code:
<?php
$str = " lisrep columns=2 $d)', 'avar_d?:Þßà";
preg_match_all("/([',$str\"]?.*)\\C/iu", $str, $str_instead);Resulted in this output:
=================================================================
==648951==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 in __asan_memcpy (sapi/cli/php)
#1 in zend_string_init Zend/zend_string.h:191
#2 in zend_string_init_fast Zend/zend_string.h:199
#3 in populate_match_value_str ext/pcre/php_pcre.c:944
#4 in populate_match_value ext/pcre/php_pcre.c:957
#5 in php_pcre_match_impl ext/pcre/php_pcre.c:1306
#6 in php_do_pcre_match ext/pcre/php_pcre.c:1125
#7 in zif_preg_match_all ext/pcre/php_pcre.c:1500
#8 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER Zend/zend_vm_execute.h:1318
#9 in execute_ex Zend/zend_vm_execute.h:110029
#10 in zend_execute Zend/zend_vm_execute.h:115447
#11 in zend_execute_script Zend/zend.c:1980
#12 in php_execute_script_ex main/main.c:2648
#13 in php_execute_script main/main.c:2688
#14 in do_cli sapi/cli/php_cli.c:949
#15 in main sapi/cli/php_cli.c:1360
SUMMARY: AddressSanitizer: negative-size-param in __asan_memcpy
==648951==ABORTING
Commit
06dac62747f0819ebc110fd6ab4a90a0229bd2b6
Build Configuration
./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic
PHP Version
PHP 8.6.0-dev (cli) (built: Feb 5 2026 18:41:44) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
Operating System
Ubuntu 22.04