diff --git a/NEWS b/NEWS
index d6e268b4b2f..86728ec3897 100644
--- a/NEWS
+++ b/NEWS
@@ -40,7 +40,9 @@ PHP                                                                        NEWS
   . Fixed stub for openssl_csr_new. (Jakub Zelenka)
 
 - PCRE:
-  . Fixed GH-16189 (underflow on offset argument). (David Carlier)
+  . Fixed bug GH-16189 (underflow on offset argument). (David Carlier)
+  . Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
+    (nielsdos)
 
 - PHPDBG:
   . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c
index eaa747b560d..a0ddc7b8580 100644
--- a/ext/pcre/php_pcre.c
+++ b/ext/pcre/php_pcre.c
@@ -1728,9 +1728,11 @@ matched:
 						}
 						if (preg_get_backref(&walk, &backref)) {
 							if (backref < count) {
-								match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
-								memcpy(walkbuf, subject + offsets[backref<<1], match_len);
-								walkbuf += match_len;
+								if (offsets[backref<<1] < SIZE_MAX) {
+									match_len = offsets[(backref<<1)+1] - offsets[backref<<1];
+									memcpy(walkbuf, subject + offsets[backref<<1], match_len);
+									walkbuf += match_len;
+								}
 							}
 							continue;
 						}
diff --git a/ext/pcre/tests/gh16184.phpt b/ext/pcre/tests/gh16184.phpt
new file mode 100644
index 00000000000..ba915d19af7
--- /dev/null
+++ b/ext/pcre/tests/gh16184.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c)
+--CREDITS--
+YuanchengJiang
+--FILE--
+<?php
+
+$string = 'This is a string. It contains numbers (0*9) as well as parentheses and some other things!';
+echo preg_replace(array('/\b\w{1}s/', '/(\d{1})*(\d{1})/', '/[\(!\)]/'), array('test', '$1 to $2', '*'), $string), "\n";
+
+?>
+--EXPECT--
+This test a string. It contains numbers * to 0* to 9* test well test parentheses and some other things*