Project

General

Profile

Actions

Bug #20886

closed

Crash due to double free on regex timeout after stack allocations

Added by jhawthorn (John Hawthorn) 10 days ago. Updated 10 days ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.6 (2024-11-05 revision 75015d4c1f) [x86_64-linux]
[ruby-core:119884]

Description

As of the change from #20650 (1057485) it's possible to crash on a double free due to stk_alloc AKA msa->stack_p being freed twice, once at the end of match_at and a second time in FREE_MATCH_ARG in the parent caller.

It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache.

$ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800'
double free or corruption (!prev)

https://github.com/ruby/ruby/pull/12030

Actions

Also available in: Atom PDF

Like0
Like0Like0