archive/ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2025-08-15 13:39:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fix regex match cache out-of-bounds access

Browse source 
Previously the following read and wrote 1 byte out-of-bounds:

    $ valgrind ruby -e 'p /(\W+)[bx]\?/i.match? "aaaaaa aaaaaaaaa aaaa aaaaaaaa aaa aaaaxaaaaaaaaaaa aaaaa aaaaaaaaaaaa a ? aaa aaaa a ?"' 2> >(grep Invalid -A 30)

Because of the `match_cache_point_index + 1` in
memoize_extended_match_cache_point() and
check_extended_match_cache_point(), we need one more byte of space.
This commit is contained in:
Alan Wu 2023-11-15 16:09:59 -05:00 committed by Jean Boussier
parent c65bb5a0f8
commit 9786b909f9
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
regexec.c
View file

@ -4092,7 +4092,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
if (num_match_cache_points >= LONG_MAX_LIMIT) {
return ONIGERR_MEMORY;
}
size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0);
size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0) + 1;
uint8_t* match_cache_buf = (uint8_t*)xmalloc(match_cache_buf_length * sizeof(uint8_t));
if (match_cache_buf == NULL) {
return ONIGERR_MEMORY;