out of bounds read in mbc_enc_len / utf8.c

[hannob]

The string "\g" will cause an out of bounds read in mbc_enc_len. Code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[2] = {'\\', 'g' };

    onig_new(&reg, inp, inp + 2, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

As usual: tested with develop tree, found with libfuzzer and asan.

asan error:

==10986==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe31c2c742 at pc 0x000000561b46 bp 0x7ffe31c2bc40 sp 0x7ffe31c2bc38
READ of size 1 at 0x7ffe31c2c742 thread T0
    #0 0x561b45 in mbc_enc_len /mnt/ram/oniguruma1/src/utf8.c:65:22
    #1 0x559574 in onigenc_mbc_enc_len_end /mnt/ram/oniguruma1/src/regenc.c:117:9
    #2 0x561c4d in mbc_to_code /mnt/ram/oniguruma1/src/utf8.c:99:9
    #3 0x4fbfbe in fetch_token /mnt/ram/oniguruma1/src/regparse.c:3443:9
    #4 0x4f6f7e in parse_regexp /mnt/ram/oniguruma1/src/regparse.c:5297:7
    #5 0x4f6f7e in onig_parse_make_tree /mnt/ram/oniguruma1/src/regparse.c:5351
    #6 0x51e543 in onig_compile /mnt/ram/oniguruma1/src/regcomp.c:5279:7
    #7 0x544468 in onig_new /mnt/ram/oniguruma1/src/regcomp.c:5518:7
    #8 0x4f233f in main /mnt/ram/oniguruma1/oob-mbc_enc_len.c:7:5
    #9 0x7f57bc43378f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #10 0x4198f8 in _start (/mnt/ram/oniguruma1/a.out+0x4198f8)

Address 0x7ffe31c2c742 is located in stack of thread T0 at offset 66 in frame
    #0 0x4f224f in main /mnt/ram/oniguruma1/oob-mbc_enc_len.c:3

  This frame has 2 object(s):
    [32, 40) 'reg'
    [64, 66) 'inp' <== Memory access at offset 66 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /mnt/ram/oniguruma1/src/utf8.c:65:22 in mbc_enc_len
Shadow bytes around the buggy address:
  0x10004637d890: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
  0x10004637d8a0: f2 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10004637d8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004637d8e0: f1 f1 f1 f1 00 f2 f2 f2[02]f3 f3 f3 00 00 00 00
  0x10004637d8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004637d930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10986==ABORTING