Fix #78633: Heap buffer overflow (read) in mb_eregi

We backport kkos/oniguruma@15c4228aa2ffa02140a99912dd3177df0b1841c6.

3 files changed, 15 insertions, 1 deletions

diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
index d1fbd1376e..e91bdec206 100644
--- a/ext/mbstring/oniguruma/src/regcomp.c
+++ b/ext/mbstring/oniguruma/src/regcomp.c
@@ -724,8 +724,8 @@ add_compile_string(UChar* s, int mb_len, int str_len,
     COP(reg)->exact_n.s = p;
   }
   else {
+    xmemset(COP(reg)->exact.s, 0, sizeof(COP(reg)->exact.s));
     xmemcpy(COP(reg)->exact.s, s, (size_t )byte_len);
-    COP(reg)->exact.s[byte_len] = '\0';
   }
 
   return 0;
diff --git a/ext/mbstring/oniguruma/src/regexec.c b/ext/mbstring/oniguruma/src/regexec.c
index 32c750b1f1..a4809baf5d 100644
--- a/ext/mbstring/oniguruma/src/regexec.c
+++ b/ext/mbstring/oniguruma/src/regexec.c
@@ -2900,6 +2900,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
           DATA_ENSURE(0);
           q = lowbuf;
           while (len-- > 0) {
+            if (ps >= endp) goto fail;
             if (*ps != *q) goto fail;
             ps++; q++;
           }
diff --git a/ext/mbstring/tests/bug78633.phpt b/ext/mbstring/tests/bug78633.phpt
new file mode 100644
index 0000000000..3ff69a1867
--- /dev/null
+++ b/ext/mbstring/tests/bug78633.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #78633 (Heap buffer overflow (read) in mb_eregi)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+if (!function_exists('mb_eregi')) die('skip mb_eregi function not available');
+?>
+--FILE--
+<?php
+var_dump(mb_eregi(".+Isssǰ", ".+Isssǰ"));
+?>
+--EXPECT--
+bool(false)