Fix #78559: Heap buffer overflow in mb_eregi

cmb69 · smalyshev · commit 8f949eba8083 · 2019-09-23T21:49:55.000-07:00
We backport kkos/oniguruma@d3e4029.
diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c
@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
     q = lowbuf;
     while (lowlen > 0) {
+      if (t >= tend)    return 0;
       if (*t++ != *q++) return 0;
       lowlen--;
     }
diff --git a/ext/mbstring/tests/bug78559.phpt b/ext/mbstring/tests/bug78559.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78559 (#78559	Heap buffer overflow in mb_eregi)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (!function_exists('mb_ereg')) die('skip mb_ereg() not available');
+?>
+--FILE--
+<?php
+$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01";
+$str = hex2bin($str);
+var_dump(mb_eregi($str, $str));
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,`
`4196`	`4196`	`lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);`
`4197`	`4197`	`q = lowbuf;`
`4198`	`4198`	`while (lowlen > 0) {`
	`4199`	`+ if (t >= tend) return 0;`
`4199`	`4200`	`if (t++ != q++) return 0;`
`4200`	`4201`	`lowlen--;`
`4201`	`4202`	`}`