Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c

libpcre2 can return the special value -1 for a non-match.
In this case we get pointer overflow, although it doesn't matter in
practice because the pointer will be in bounds and the copy length will
be 0. Still, we should fix the UBSAN warning.

Closes GH-16205.

Author: nielsdos

NEWS

@@ -38,7 +38,9 @@ PHP                                                                        NEWS
   . Fixed stub for openssl_csr_new. (Jakub Zelenka)
 
 - PCRE:
-  . Fixed GH-16189 (underflow on offset argument). (David Carlier)
+  . Fixed bug GH-16189 (underflow on offset argument). (David Carlier)
+  . Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
+    (nielsdos)
 
 - PHPDBG:
   . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)

ext/pcre/php_pcre.c

@@ -1747,9 +1747,11 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
 						}
 						if (preg_get_backref(&walk, &backref)) {
 							if (backref < count) {
-								match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
-								memcpy(walkbuf, subject + offsets[backref<<1], match_len);
-								walkbuf += match_len;
+								if (offsets[backref<<1] < SIZE_MAX) {
+									match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
+									memcpy(walkbuf, subject + offsets[backref<<1], match_len);
+									walkbuf += match_len;
+								}
 							}
 							continue;
 						}

ext/pcre/tests/gh16184.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c)
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+
+$string = 'This is a string. It contains numbers (0*9) as well as parentheses and some other things!';
+echo preg_replace(array('/\b\w{1}s/', '/(\d{1})*(\d{1})/', '/[\(!\)]/'), array('test', '$1 to $2', '*'), $string), "\n";
+
+?>
+--EXPECT--
+This test a string. It contains numbers * to 0* to 9* test well test parentheses and some other things*