Ruby » Ruby master

Some types of regular expressions causes invalid memory access on #match. Length of strings to match does not matter.
For example, for regex /^([ab]{1,3})(a?)*$/, "aac" can crash ruby.

This bug may be caused in caching algorithm since v3.2.0.
v3.1.3 is safe as far as I checked.

Environments:
Linux 6.2.6-arch1-1 x86-64, 16GB RAM

Reproduce Process:

$> ruby -e 'p /^([ab]{1,3})(a?)*$/.match "aac"'
-e:1: [BUG] Segmentation fault at 0x0000560315993d90
ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux]
...

Whole output is attached as output.txt.
Note that result may be nil correctly sometimes.

Part of backtrace:

#5  0x000055ff30b71ecb in sigsegv (sig=11, info=0x55ff31bd0e70, ctx=0x55ff31bd0d40) at ../signal.c:964
#6  <signal handler called>
#7  reset_match_cache (num_cache_table=<optimized out>, num_cache_size=3, table=0x55ff31e2d930, match_cache=0x55ff31e2aec0 "\300\f", pos=2, pend=<optimized out>, pbegin=0x55ff31dc7202 ">\030", reg=0x55ff31e199b0) at ../regexec.c:1292
#8  match_at (reg=reg@entry=0x55ff31e199b0, str=str@entry=0x7fb176c7f148 "aac", end=<optimized out>, end@entry=0x7fb176c7f14b "", sstart=sstart@entry=0x7fb176c7f148 "aac", sprev=<optimized out>, msa=msa@entry=0x7ffe40153d30)
    at ../regexec.c:3486