]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1666cfc)
Fix out-of-bounds write
authorK.Kosako <kkosako0@gmail.com>
Mon, 21 Sep 2020 03:58:29 +0000 (12:58 +0900)
committerChristoph M. Becker <cmbecker69@gmx.de>
Fri, 2 Oct 2020 13:02:35 +0000 (15:02 +0200)
Fixes CVE-2020-26159.

Backported from <https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0>.

ext/mbstring/oniguruma/src/regcomp.c patch | blob | history

diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
index 69d4b95f9521466564c818d8a72dabacb67bc0b4..4f68af234529d9bbb6dc91175317e2388bbb9adb 100644 (file)
--- a/ext/mbstring/oniguruma/src/regcomp.c
+++ b/ext/mbstring/oniguruma/src/regcomp.c
@@ -5603,7 +5603,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)
 
   for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
     len = enclen(enc, p);
-    if (i + len > OPT_EXACT_MAXLEN) break;
+    if (i + len >= OPT_EXACT_MAXLEN) break;
     for (j = 0; j < len && p < end; j++)
       to->s[i++] = *p++;
   }
Unnamed repository; edit this file 'description' to name the repository.