Bug #20886
closed
Crash due to double free on regex timeout after stack allocations
Description
As of the change from #20650 (1057485) it's possible to crash on a double free due to stk_alloc AKA msa->stack_p being freed twice, once at the end of match_at and a second time in FREE_MATCH_ARG in the parent caller.
It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache.
$ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800'
double free or corruption (!prev)
Updated by jhawthorn (John Hawthorn) 7 days ago
- Status changed from Open to Closed
Applied in changeset git|8409edc4971f34cf0d77c375909c5b8f7b1e058a.
Fix regex timeout double-free after stack_double
As of 10574857ce167869524b97ee862b610928f6272f, it's possible to crash
on a double free due to stk_alloc AKA msa->stack_p being freed
twice, once at the end of match_at and a second time in FREE_MATCH_ARG
in the parent caller.
Fixes [Bug #20886]
Updated by jhawthorn (John Hawthorn) 7 days ago
I've opened a backport PR for Ruby 3.3. I don't believe other versions need a backport as the previous memory leak patches were not backported to the 3.2 branch and a quick test doesn't show the bug reproducing.