Fix regex match cache out-of-bounds access

XrXr · byroot · commit 9786b909f968 · 2023-11-16T10:23:15.000+01:00
Previously the following read and wrote 1 byte out-of-bounds:

    $ valgrind ruby -e 'p /(\W+)[bx]\?/i.match? "aaaaaa aaaaaaaaa aaaa aaaaaaaa aaa aaaaxaaaaaaaaaaa aaaaa aaaaaaaaaaaa a ? aaa aaaa a ?"' 2&gt; &gt;(grep Invalid -A 30)

Because of the `match_cache_point_index + 1` in
memoize_extended_match_cache_point() and
check_extended_match_cache_point(), we need one more byte of space.
diff --git a/regexec.c b/regexec.c
@@ -4092,7 +4092,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 	  if (num_match_cache_points >= LONG_MAX_LIMIT) {
 	    return ONIGERR_MEMORY;
 	  }
-	  size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0);
+	  size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0) + 1;
 	  uint8_t* match_cache_buf = (uint8_t*)xmalloc(match_cache_buf_length * sizeof(uint8_t));
 	  if (match_cache_buf == NULL) {
 	    return ONIGERR_MEMORY;

Original file line number	Diff line number	Diff line change
`@@ -4092,7 +4092,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,`
`4092`	`4092`	`if (num_match_cache_points >= LONG_MAX_LIMIT) {`
`4093`	`4093`	`return ONIGERR_MEMORY;`
`4094`	`4094`	`}`
`4095`		`- size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0);`
	`4095`	`+ size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0) + 1;`
`4096`	`4096`	`uint8_t* match_cache_buf = (uint8_t)xmalloc(match_cache_buf_length sizeof(uint8_t));`
`4097`	`4097`	`if (match_cache_buf == NULL) {`
`4098`	`4098`	`return ONIGERR_MEMORY;`