fixes bad address given to onig_error_code_to_str

Closes bug #72710

(cherry picked from commit 0fb7eb6723bcc6fd98053911543e801edb5ab763)

3 files changed, 15 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 48a78c8f1b..49d6c3207e 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,8 @@ PHP                                                                        NEWS
     zero-width). (cmb)
   . Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last
     position). (cmb)
+  . Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
+    (ju1ius)
 
 - PCRE:
   . Fixed bug #72688 (preg_match missing group names in matches). (cmb)
diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
index 9873a85da1..7e9756fa15 100644
--- a/ext/mbstring/php_mbregex.c
+++ b/ext/mbstring/php_mbregex.c
@@ -456,7 +456,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
 	found = zend_hash_find(&MBREX(ht_rc), (char *)pattern, patlen+1, (void **) &rc);
 	if (found == FAILURE || (*rc)->options != options || (*rc)->enc != enc || (*rc)->syntax != syntax) {
 		if ((err_code = onig_new(&retval, (OnigUChar *)pattern, (OnigUChar *)(pattern + patlen), options, enc, syntax, &err_info)) != ONIG_NORMAL) {
-			onig_error_code_to_str(err_str, err_code, err_info);
+			onig_error_code_to_str(err_str, err_code, &err_info);
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "mbregex compile err: %s", err_str);
 			retval = NULL;
 			goto out;
diff --git a/ext/mbstring/tests/bug72710.phpt b/ext/mbstring/tests/bug72710.phpt
new file mode 100644
index 0000000000..19becc5010
--- /dev/null
+++ b/ext/mbstring/tests/bug72710.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip ext/mbstring required');
+?>
+--FILE--
+<?php
+mb_ereg('(?<0>a)', 'a');
+?>
+--EXPECTF--
+Warning: mb_ereg(): mbregex compile err: invalid group name <0> in %s on line %d