out of bounds read in next_state_val / regparse.c

[hannob]

Sample code:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char *inp = "[0-0-\xe2  ";

    onig_new(&reg, inp, inp + 8, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

asan error:

==11115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f4cc at pc 0x00000051aa28 bp 0x7fff5dbf3f50 sp 0x7fff5dbf3f48
READ of size 4 at 0x60600000f4cc thread T0
    #0 0x51aa27 in next_state_val /mnt/ram/oniguruma1/src/regparse.c:4001:7
    #1 0x5105bf in parse_char_class /mnt/ram/oniguruma1/src/regparse.c:4218:11
    #2 0x504720 in parse_exp /mnt/ram/oniguruma1/src/regparse.c:5052:11
    #3 0x5028cb in parse_branch /mnt/ram/oniguruma1/src/regparse.c:5217:7
    #4 0x4ffe2d in parse_subexp /mnt/ram/oniguruma1/src/regparse.c:5254:7
    #5 0x4f6f98 in parse_regexp /mnt/ram/oniguruma1/src/regparse.c:5299:7
    #6 0x4f6f98 in onig_parse_make_tree /mnt/ram/oniguruma1/src/regparse.c:5351
    #7 0x51e523 in onig_compile /mnt/ram/oniguruma1/src/regcomp.c:5279:7
    #8 0x544448 in onig_new /mnt/ram/oniguruma1/src/regcomp.c:5518:7
    #9 0x4f2317 in main /mnt/ram/oniguruma1/test.c:7:5
    #10 0x7f62e128c78f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r2/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x4198f8 in _start (/mnt/ram/oniguruma1/a.out+0x4198f8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/ram/oniguruma1/src/regparse.c:4001:7 in next_state_val
Shadow bytes around the buggy address:
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9e90: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c0c7fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11115==ABORTING