segfault / null pointer access in next_state_val()

[hannob]

Passing the byte sequence 0x5b, 0xff, 0x30 to onig_new() crashes with a null pointer access in next_state_val() (regparse.c). Tested with latest develop branch and libfuzzer.

Test code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[3] = { 0x5b, 0xff, 0x30 };

    onig_new(&reg, inp, inp + 3, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

Asan stack trace:

==18989==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000534603 bp 0x7fffa020ff10 sp 0x7fffa020fc90 T0)
    #0 0x534602 in next_state_val /mnt/ram/oniguruma/src/regparse.c:4005:7
    #1 0x51f529 in parse_char_class /mnt/ram/oniguruma/src/regparse.c:4222:11
    #2 0x513836 in parse_exp /mnt/ram/oniguruma/src/regparse.c:5056:11
    #3 0x5106fb in parse_branch /mnt/ram/oniguruma/src/regparse.c:5221:7
    #4 0x5072bd in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5258:7
    #5 0x4faebf in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5303:7
    #6 0x4fa704 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5339:7
    #7 0x53e4ef in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5279:7
    #8 0x54e9c2 in onig_new /mnt/ram/oniguruma/src/regcomp.c:5518:7
    #9 0x4f21b4 in main (/mnt/ram/oniguruma/a.out+0x4f21b4)
    #10 0x7f67975e478f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x419708 in _start (/mnt/ram/oniguruma/a.out+0x419708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /mnt/ram/oniguruma/src/regparse.c:4005:7 in next_state_val

[kkos]

Thank you for the report.
I have fixed it in develop branch.