From 9a96e864885ccc3b19d360ba410a562eb7c5dc45 Mon Sep 17 00:00:00 2001 From: gwx620998 Date: Sat, 23 Mar 2019 03:34:11 -0400 Subject: [PATCH] CVE-2019-9023 Signed-off-by: gwx620998 --- ext/mbstring/oniguruma/src/regcomp.c | 3 +++ ext/mbstring/oniguruma/src/regparse.c | 2 ++ ext/mbstring/oniguruma/src/unicode.c | 1 + ext/mbstring/oniguruma/src/utf32_be.c | 3 ++- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c index 0e9a9ab..cf914cc 100644 --- a/ext/mbstring/oniguruma/src/regcomp.c +++ b/ext/mbstring/oniguruma/src/regcomp.c @@ -476,6 +476,7 @@ compile_length_string_node(Node* node, regex_t* reg) for (; p < sn->end; ) { len = enclen(enc, p); + if (p + len > sn->end) len = sn->end - p; if (len == prev_len) { slen++; } @@ -524,6 +525,7 @@ compile_string_node(Node* node, regex_t* reg) for (; p < end; ) { len = enclen(enc, p); + if (p + len > end) len = end - p; if (len == prev_len) { slen++; } @@ -3436,6 +3438,7 @@ expand_case_fold_string(Node* node, regex_t* reg) } len = enclen(reg->enc, p); + if (p + len > end) len = end - p; if (n == 0) { if (IS_NULL(snode)) { diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c index 8153513..9393b9d 100644 --- a/ext/mbstring/oniguruma/src/regparse.c +++ b/ext/mbstring/oniguruma/src/regparse.c @@ -3594,6 +3594,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) } else { /* string */ p = tok->backp + enclen(enc, tok->backp); + if (p > end) p = end; } } break; @@ -3763,6 +3764,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) out: #endif *src = p; + if (*src > end) *src = end; return tok->type; } diff --git a/ext/mbstring/oniguruma/src/unicode.c b/ext/mbstring/oniguruma/src/unicode.c index 8812ca2..cbdc42f 100644 --- a/ext/mbstring/oniguruma/src/unicode.c +++ b/ext/mbstring/oniguruma/src/unicode.c @@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc, code = ONIGENC_MBC_TO_CODE(enc, p, end); len = enclen(enc, p); + if (*pp + len > end) len = end - *pp; *pp += len; #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c index d0c7f39..4cf6fed 100644 --- a/ext/mbstring/oniguruma/src/utf32_be.c +++ b/ext/mbstring/oniguruma/src/utf32_be.c @@ -65,8 +65,9 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) } static OnigCodePoint -utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf32be_mbc_to_code(const UChar* p, const UChar* end) { + if (p + 4 > end) return (OnigCodePoint ) NULL; return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); } -- 1.8.3.1