From 9f6a5a027035d1fe7171a4fdd9b123cc4f439708 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 29 Jul 2019 19:31:47 +0200
Subject: Fix #78338: Array cross-border reading in PCRE

We backport r1092 from pcre2.

(cherry picked from commit 8947fd9e9fdce87cd6c59817b1db58e789538fe9)
---
 NEWS                                  |  3 +++
 ext/pcre/pcre2lib/pcre2_jit_compile.c |  2 +-
 ext/pcre/tests/bug78338.phpt          | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 ext/pcre/tests/bug78338.phpt

diff --git a/NEWS b/NEWS
index f95c075544..d31d60832c 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ PHP                                                                        NEWS
 - OPcache:
   . Fixed bug #78341 (Failure to detect smart branch in DFA pass). (Nikita)
 
+- PCRE:
+  . Fixed bug #78338 (Array cross-border reading in PCRE). (cmb)
+
 - Phar:
   . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
 
diff --git a/ext/pcre/pcre2lib/pcre2_jit_compile.c b/ext/pcre/pcre2lib/pcre2_jit_compile.c
index e2b08ba22a..c491be2917 100644
--- a/ext/pcre/pcre2lib/pcre2_jit_compile.c
+++ b/ext/pcre/pcre2lib/pcre2_jit_compile.c
@@ -7288,7 +7288,7 @@ int lgb, rgb, ricount;
 PCRE2_SPTR bptr;
 uint32_t c;
 
-GETCHARINC(c, cc);
+c = *cc++;
 lgb = UCD_GRAPHBREAK(c);
 
 while (cc < end_subject)
diff --git a/ext/pcre/tests/bug78338.phpt b/ext/pcre/tests/bug78338.phpt
new file mode 100644
index 0000000000..ec5bf1b946
--- /dev/null
+++ b/ext/pcre/tests/bug78338.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #78338 (Array cross-border reading in PCRE)
+--FILE--
+<?php
+$string = hex2bin('2f5c583f3d3f223f3536ff3636ffffffff36a8a8a83636367a7a7a7a3d2aff2f0a');
+preg_match($string, $string);
+echo "DONE\n";
+?>
+--EXPECT--
+DONE
-- 
cgit v1.2.1