Fix #78559: Heap buffer overflow in mb_eregi

We backport kkos/oniguruma@d3e402928b6eb3327f8f7d59a9edfa622fec557b.

2 files changed, 16 insertions, 0 deletions

diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c
index f957b75923..32c750b1f1 100644
--- a/ext/mbstring/oniguruma/src/regexec.c
+++ b/ext/mbstring/oniguruma/src/regexec.c
@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
     q = lowbuf;
     while (lowlen > 0) {
+      if (t >= tend)    return 0;
       if (*t++ != *q++) return 0;
       lowlen--;
     }
diff --git a/ext/mbstring/tests/bug78559.phpt b/ext/mbstring/tests/bug78559.phpt
new file mode 100644
index 0000000000..afe412c141
--- /dev/null
+++ b/ext/mbstring/tests/bug78559.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78559 (#78559	Heap buffer overflow in mb_eregi)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (!function_exists('mb_ereg')) die('skip mb_ereg() not available');
+?>
+--FILE--
+<?php
+$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01";
+$str = hex2bin($str);
+var_dump(mb_eregi($str, $str));
+?>
+--EXPECT--
+bool(false)