From a5c84a3ec602d169535151c6425a8aa89dcbdee1 Mon Sep 17 00:00:00 2001
From: cuiwenhao123 <1348733191@qq.com>
Date: Thu, 28 May 2026 15:38:14 +0800
Subject: [PATCH] Add advisory for onig Region heap overflow

---
 crates/onig/RUSTSEC-0000-0000.md | 37 ++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 crates/onig/RUSTSEC-0000-0000.md

diff --git a/crates/onig/RUSTSEC-0000-0000.md b/crates/onig/RUSTSEC-0000-0000.md
new file mode 100644
index 000000000..48c96b448
--- /dev/null
+++ b/crates/onig/RUSTSEC-0000-0000.md
@@ -0,0 +1,37 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "onig"
+date = "2026-01-07"
+url = "https://github.com/rust-onig/rust-onig/issues/215"
+references = [
+    "https://github.com/rust-onig/rust-onig/pull/221",
+    "https://github.com/rust-onig/rust-onig/commit/fa76915bad1bf87c796b5a2d917b86fd5f23bf1c",
+]
+categories = ["memory-corruption", "memory-exposure"]
+keywords = ["integer-overflow", "heap-buffer-overflow", "out-of-bounds-read", "ffi"]
+
+[affected.functions]
+"onig::Region::reserve" = ["< 6.5.2"]
+"onig::Region::with_capacity" = ["< 6.5.2"]
+"onig::Region::pos" = ["< 6.5.2"]
+
+[versions]
+patched = [">= 6.5.2"]
+```
+
+# Heap buffer overflow in `Region`
+
+Affected versions of `onig` expose a memory-safety bug in the safe `Region` API.
+`Region::reserve()` and `Region::with_capacity()` accepted a `usize` capacity
+and passed it to `onig_sys::onig_region_resize()` after an unchecked cast to
+`c_int`. A capacity larger than `c_int::MAX` could wrap to a negative value
+before entering the C API.
+
+The wrapped value could cause the C implementation to allocate only the default
+small region while storing the negative value in `num_regs`. Later,
+`Region::len()` cast `num_regs` back to `usize`, so `Region::pos()` could treat
+out-of-range indices as valid and read past the heap allocation.
+
+The issue was fixed in version `6.5.2` by checking the `usize` to `c_int`
+conversion in `Region::reserve()` and panicking on overflow.