From: "dodecadaniel (Daniel Colson) via ruby-core" <ruby-core@...>
Date: 2024-04-25T02:19:09+00:00
Subject: [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout

Issue #20453 has been reported by dodecadaniel (Daniel Colson).

----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453

* Author: dodecadaniel (Daniel Colson)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).

Reproduction:

```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```

I'll open a PR shortly.

https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/