archive/ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2025-08-15 13:39:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[Bug #20453] segfault in Regexp timeout

Browse source 
https://bugs.ruby-lang.org/issues/20228 started freeing `stk_base` to
avoid a memory leak. But `stk_base` is sometimes stack allocated (using
`xalloca`), so the free only works if the regex stack has grown enough
to hit `stack_double` (which uses `xmalloc` and `xrealloc`).

To reproduce the problem on master and 3.3.1:

```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```

Some details about this potential fix:

`stk_base == stk_alloc` on
[init](dde99215f2/regexec.c (L1153)),
so if `stk_base != stk_alloc` we can be sure we called
[`stack_double`](dde99215f2/regexec.c (L1210))
and it's safe to free. It's also safe to free if we've
[saved](dde99215f2/regexec.c (L1187-L1189))
the stack to `msa->stack_p`, since we do the `stk_base != stk_alloc`
check before saving.

This matches the check we do inside
[`stack_double`](dde99215f2/regexec.c (L1221))
This commit is contained in:
Daniel Colson 2024-04-24 22:20:48 -04:00 committed by Peter Zhu
parent 7ab1a608e7
commit d292a9b98c
2 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
regexec.c
View file

@ -4218,7 +4218,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
timeout:
xfree(xmalloc_base);
xfree(stk_base);
if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
xfree(stk_base);
HANDLE_REG_TIMEOUT_IN_MATCH_AT;
}