Merge branch 'PHP-7.3'

* PHP-7.3:
  Fix #77367: Negative size parameter in mb_split
  Fix #77369 - memcpy with negative length via crafted DNS response
  Fix more issues with encodilng length
  Fix #77270: imagecolormatch Out Of Bounds Write on Heap
  Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
  Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
  Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
  Fix #77269: Potential unsigned underflow in gdImageScale
  Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
  Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
  Regenerate certs for openssl tests

1 files changed, 2 insertions, 3 deletions

diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 68922b6966..85219b00e4 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -1238,7 +1238,6 @@ PHP_FUNCTION(mb_split)
 	size_t string_len;
 
 	int err;
-	size_t n;
 	zend_long count = -1;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
@@ -1296,8 +1295,8 @@ PHP_FUNCTION(mb_split)
 	}
 
 	/* otherwise we just have one last element to add to the array */
-	n = ((OnigUChar *)(string + string_len) - chunk_pos);
-	if (n > 0) {
+	if ((OnigUChar *)(string + string_len) > chunk_pos) {
+		size_t n = ((OnigUChar *)(string + string_len) - chunk_pos);
 		add_next_index_stringl(return_value, (char *)chunk_pos, n);
 	} else {
 		add_next_index_stringl(return_value, "", 0);