From 4f50d58caba8286b5c533f6925b2ec320dd0742e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 4 Oct 2019 19:02:37 +0200 Subject: [PATCH] Fix #78633: Heap buffer overflow (read) in mb_eregi We backport kkos/oniguruma@15c4228aa2ffa02140a99912dd3177df0b1841c6. --- ext/mbstring/oniguruma/src/regcomp.c | 2 +- ext/mbstring/oniguruma/src/regexec.c | 1 + ext/mbstring/tests/bug78633.phpt | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ext/mbstring/tests/bug78633.phpt diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c index d1fbd1376e..e91bdec206 100644 --- a/ext/mbstring/oniguruma/src/regcomp.c +++ b/ext/mbstring/oniguruma/src/regcomp.c @@ -724,8 +724,8 @@ add_compile_string(UChar* s, int mb_len, int str_len, COP(reg)->exact_n.s = p; } else { + xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s)); xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len); - COP(reg)->exact.s[byte_len] = '\0'; } return 0; diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c index 32c750b1f1..a4809baf5d 100644 --- a/ext/mbstring/oniguruma/src/regexec.c +++ b/ext/mbstring/oniguruma/src/regexec.c @@ -2900,6 +2900,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, DATA_ENSURE(0); q = lowbuf; while (len-- > 0) { + if (ps >= endp) goto fail; if (*ps != *q) goto fail; ps++; q++; } diff --git a/ext/mbstring/tests/bug78633.phpt b/ext/mbstring/tests/bug78633.phpt new file mode 100644 index 0000000000..3ff69a1867 --- /dev/null +++ b/ext/mbstring/tests/bug78633.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78633 (Heap buffer overflow (read) in mb_eregi) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false) -- 2.40.0