[Bug #20886] Avoid double-free in regex timeout after stack_double (ruby#12063)

jhawthorn · web-flow · commit f4258aaed02e · 2024-11-12T09:04:21.000-08:00
Fix regex timeout double-free after stack_double As of 1057485, it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller. Fixes [Bug #20886]
diff --git a/regexec.c b/regexec.c
@@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   return ONIGERR_UNEXPECTED_BYTECODE;
 
  timeout:
+  STACK_SAVE;
   xfree(xmalloc_base);
-  if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
-      xfree(stk_base);
   return ONIGERR_TIMEOUT;
 }
 
diff --git a/test/ruby/test_regexp.rb b/test/ruby/test_regexp.rb
@@ -1838,6 +1838,13 @@ def test_bug_20453
     end;
   end
 
+  def test_bug_20886
+    re = Regexp.new("d()*+|a*a*bc", timeout: 0.02)
+    assert_raise(Regexp::TimeoutError) do
+      re === "b" + "a" * 1000
+    end
+  end
+
   def per_instance_redos_test(global_timeout, per_instance_timeout, expected_timeout)
     assert_separately([], "#{<<-"begin;"}\n#{<<-'end;'}")
       global_timeout = #{ EnvUtil.apply_timeout_scale(global_timeout).inspect }

Original file line number	Diff line number	Diff line change
`@@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,`
`4217`	`4217`	`return ONIGERR_UNEXPECTED_BYTECODE;`
`4218`	`4218`
`4219`	`4219`	`timeout:`
	`4220`	`+ STACK_SAVE;`
`4220`	`4221`	`xfree(xmalloc_base);`
`4221`		`- if (stk_base != stk_alloc \|\| IS_NOT_NULL(msa->stack_p))`
`4222`		`- xfree(stk_base);`
`4223`	`4222`	`return ONIGERR_TIMEOUT;`
`4224`	`4223`	`}`
`4225`	`4224`