From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Tue, 20 Oct 2020 15:09:20 +0000 (+0200)
Subject: Revert "Fix out-of-bounds write"
X-Git-Tag: php-7.3.25RC1~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=be6d72b3a445a37f48b021e3e8e85e3a00924d71;p=php

Revert "Fix out-of-bounds write"

This reverts commit bf6873a18e3b6b00f82a645c0893a281ae8eadb8.

CVE-2020-26159 is bogus; the "bug" was apparently a false positive
reported by Coverity, and the "fix" apparently wrong, see
<https://github.com/kkos/oniguruma/issues/221>.

Closes GH-6357.
---

diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
index 4f68af2345..69d4b95f95 100644
--- a/ext/mbstring/oniguruma/src/regcomp.c
+++ b/ext/mbstring/oniguruma/src/regcomp.c
@@ -5603,7 +5603,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)
 
   for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
     len = enclen(enc, p);
-    if (i + len >= OPT_EXACT_MAXLEN) break;
+    if (i + len > OPT_EXACT_MAXLEN) break;
     for (j = 0; j < len && p < end; j++)
       to->s[i++] = *p++;
   }