Fix out-of-bounds write

kkos · cmb69 · commit bf6873a18e3b · 2020-10-02T15:02:35.000+02:00
Fixes CVE-2020-26159. Backported from <kkos/oniguruma@cbe9f8b>.
diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
@@ -5603,7 +5603,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)
 
   for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
     len = enclen(enc, p);
-    if (i + len > OPT_EXACT_MAXLEN) break;
+    if (i + len >= OPT_EXACT_MAXLEN) break;
     for (j = 0; j < len && p < end; j++)
       to->s[i++] = *p++;
   }

Original file line number	Diff line number	Diff line change
`@@ -5603,7 +5603,7 @@ concat_opt_exact_str(OptStr* to, UChar* s, UChar* end, OnigEncoding enc)`
`5603`	`5603`
`5604`	`5604`	`for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {`
`5605`	`5605`	`len = enclen(enc, p);`
`5606`		`- if (i + len > OPT_EXACT_MAXLEN) break;`
	`5606`	`+ if (i + len >= OPT_EXACT_MAXLEN) break;`
`5607`	`5607`	`for (j = 0; j < len && p < end; j++)`
`5608`	`5608`	`to->s[i++] = *p++;`
`5609`	`5609`	`}`