Ruby » Ruby master

Valgrind reports out-of-bounds memory access while creating a Regexp object with an invalid byte sequence:

$ valgrind ruby -e'Regexp.new("\\\xD3\xD5\xBE\x1E+".force_encoding("euc-jp"))'
==21986== Memcheck, a memory error detector
==21986== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21986== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==21986== Command: ruby -eRegexp.new("\\\\\\xD3\\xD5\\xBE\\x1E+".force_encoding("euc-jp"))
==21986== 
==21986== Invalid read of size 1
==21986==    at 0x1EF7D0: set_bm_skip.isra.17 (regcomp.c:4271)
==21986==    by 0x1FC1FB: set_optimize_exact_info (regcomp.c:5310)
==21986==    by 0x1FC1FB: set_optimize_info_from_tree (regcomp.c:5396)
==21986==    by 0x1FC1FB: onig_compile (regcomp.c:5824)
==21986==    by 0x1E7C0C: onig_new_with_source (re.c:850)
==21986==    by 0x1E7C0C: make_regexp (re.c:874)
==21986==    by 0x1E7C0C: rb_reg_initialize (re.c:2681)
==21986==    by 0x1E7DEE: rb_reg_initialize_str (re.c:2715)
==21986==    by 0x1E8021: rb_reg_init_str (re.c:2751)
==21986==    by 0x1E8021: rb_reg_initialize_m (re.c:3293)
==21986==    by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131)
==21986==    by 0x2981AA: vm_call0_cfunc (vm_eval.c:148)
==21986==    by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180)
==21986==    by 0x29897C: vm_call0 (vm_eval.c:61)
==21986==    by 0x29897C: rb_call0 (vm_eval.c:342)
==21986==    by 0x19BFA0: rb_class_new_instance (object.c:1895)
==21986==    by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752)
==21986==    by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847)
==21986==    by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138)
==21986==    by 0x296FC2: vm_call_method (vm_insnhelper.c:2288)
==21986==    by 0x28FEC8: vm_exec_core (insns.def:1066)
==21986==  Address 0x73f7333 is 0 bytes after a block of size 3 alloc'd
==21986==    at 0x4C2AB8D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21986==    by 0x1FC083: set_optimize_exact_info (regcomp.c:5284)
==21986==    by 0x1FC083: set_optimize_info_from_tree (regcomp.c:5396)
==21986==    by 0x1FC083: onig_compile (regcomp.c:5824)
==21986==    by 0x1E7C0C: onig_new_with_source (re.c:850)
==21986==    by 0x1E7C0C: make_regexp (re.c:874)
==21986==    by 0x1E7C0C: rb_reg_initialize (re.c:2681)
==21986==    by 0x1E7DEE: rb_reg_initialize_str (re.c:2715)
==21986==    by 0x1E8021: rb_reg_init_str (re.c:2751)
==21986==    by 0x1E8021: rb_reg_initialize_m (re.c:3293)
==21986==    by 0x2981AA: vm_call0_cfunc_with_frame (vm_eval.c:131)
==21986==    by 0x2981AA: vm_call0_cfunc (vm_eval.c:148)
==21986==    by 0x2981AA: vm_call0_body.constprop.142 (vm_eval.c:180)
==21986==    by 0x29897C: vm_call0 (vm_eval.c:61)
==21986==    by 0x29897C: rb_call0 (vm_eval.c:342)
==21986==    by 0x19BFA0: rb_class_new_instance (object.c:1895)
==21986==    by 0x2891D6: vm_call_cfunc_with_frame (vm_insnhelper.c:1752)
==21986==    by 0x2891D6: vm_call_cfunc (vm_insnhelper.c:1847)
==21986==    by 0x296A8D: vm_call_method_each_type (vm_insnhelper.c:2138)
==21986==    by 0x296FC2: vm_call_method (vm_insnhelper.c:2288)
==21986==    by 0x28FEC8: vm_exec_core (insns.def:1066)
==21986== 
==21986== 
==21986== HEAP SUMMARY:
==21986==     in use at exit: 2,538,700 bytes in 17,476 blocks
==21986==   total heap usage: 43,758 allocs, 26,282 frees, 10,646,254 bytes allocated
==21986== 
==21986== LEAK SUMMARY:
==21986==    definitely lost: 349,991 bytes in 3,886 blocks
==21986==    indirectly lost: 474,023 bytes in 5,121 blocks
==21986==      possibly lost: 1,441,628 bytes in 7,599 blocks
==21986==    still reachable: 273,058 bytes in 870 blocks
==21986==         suppressed: 0 bytes in 0 blocks
==21986== Rerun with --leak-check=full to see details of leaked memory
==21986== 
==21986== For counts of detected and suppressed errors, rerun with: -v
==21986== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)