From 999a3553d58c537b4919821855b2cc8fb62b0b2f Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Wed, 15 Jun 2016 14:54:57 +0800
Subject: [PATCH] Fixed(attempt to) bug #72405 (mb_ereg_replace - mbc_to_code
 (oniguruma) - oob read access)

according to ext/mbstring/oniguruma/enc/utf8.c, max bytes are 6
---
 NEWS                       | 2 ++
 ext/mbstring/php_mbregex.c | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 4a8d686ce5..477be3da47 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.9
 
 - Mbstring:
+  . Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) -
+    oob read access). (Laruence)
   . Fixed bug #72399 (Use-After-Free in MBString (search_re)). (Laruence)
 
 - Standard:
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index c1f9fc2560..2337926740 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -811,7 +811,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 	OnigUChar *pos;
 	OnigUChar *string_lim;
 	char *description = NULL;
-	char pat_buf[4];
+	char pat_buf[6];
 
 	const mbfl_encoding *enc;
 
@@ -864,6 +864,8 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
 		pat_buf[1] = '\0';
 		pat_buf[2] = '\0';
 		pat_buf[3] = '\0';
+		pat_buf[4] = '\0';
+		pat_buf[5] = '\0';
 
 		arg_pattern = pat_buf;
 		arg_pattern_len = 1;
-- 
2.40.0