1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix regex timeout double-free after stack_double

Browse Source 
As of 10574857ce167869524b97ee862b610928f6272f, it's possible to crash
on a double free due to `stk_alloc` AKA `msa->stack_p` being freed
twice, once at the end of match_at and a second time in `FREE_MATCH_ARG`
in the parent caller.

Fixes [Bug #20886]
This commit is contained in:
John Hawthorn 2024-11-04 18:05:59 -08:00
parent a6fdd8883c
commit 8409edc497
Notes: git 2024-11-12 07:33:38 +00:00 
Merged: https://github.com/ruby/ruby/pull/12030
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
regexec.c
View File

@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
return ONIGERR_UNEXPECTED_BYTECODE; return ONIGERR_UNEXPECTED_BYTECODE;
timeout: timeout:
STACK_SAVE;
xfree(xmalloc_base); xfree(xmalloc_base);
if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
xfree(stk_base);
return ONIGERR_TIMEOUT; return ONIGERR_TIMEOUT;
} }

7
test/ruby/test_regexp.rb
View File

@ -1845,6 +1845,13 @@ class TestRegexp < Test::Unit::TestCase
end end
end end
def test_bug_20886
re = Regexp.new("d()*+|a*a*bc", timeout: 0.02)
assert_raise(Regexp::TimeoutError) do
re === "b" + "a" * 1000
end
end
def per_instance_redos_test(global_timeout, per_instance_timeout, expected_timeout) def per_instance_redos_test(global_timeout, per_instance_timeout, expected_timeout)
assert_separately([], "#{<<-"begin;"}\n#{<<-'end;'}") assert_separately([], "#{<<-"begin;"}\n#{<<-'end;'}")
global_timeout = #{ EnvUtil.apply_timeout_scale(global_timeout).inspect } global_timeout = #{ EnvUtil.apply_timeout_scale(global_timeout).inspect }