Fix regex timeout double-free after stack_double

As of 10574857ce, it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller. Fixes [Bug #20886]
Merged: https://github.com/ruby/ruby/pull/12030
2025-08-15 13:39:04 +02:00 · 2024-11-04 18:05:59 -08:00 · 2024-11-04 18:05:59 -08:00 · 8409edc497 · 2024-11-12 07:33:38 +00:00
commit 8409edc497
parent a6fdd8883c
2 changed files with 8 additions and 2 deletions
--- a/regexec.c
+++ b/regexec.c
@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
  return ONIGERR_UNEXPECTED_BYTECODE;

 timeout:
+  STACK_SAVE;
  xfree(xmalloc_base);
-  if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
-      xfree(stk_base);
  return ONIGERR_TIMEOUT;
 }