From: "jhawthorn (John Hawthorn) via ruby-core" Date: 2024-11-12T05:06:44+00:00 Subject: [ruby-core:119884] [Ruby master Bug#20886] Crash due to double free on regex timeout after stack allocations Issue #20886 has been reported by jhawthorn (John Hawthorn). ---------------------------------------- Bug #20886: Crash due to double free on regex timeout after stack allocations https://bugs.ruby-lang.org/issues/20886 * Author: jhawthorn (John Hawthorn) * Status: Open * ruby -v: ruby 3.3.6 (2024-11-05 revision 75015d4c1f) [x86_64-linux] * Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: REQUIRED ---------------------------------------- As of the change from #20650 ([1057485](https://github.com/ruby/ruby/commit/10574857ce167869524b97ee862b610928f6272f)) it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller. It's fairly, but not quite 100% reliable to reproduce, adjusting the timeout or number of spaces can help. I reduced this test case from a larger real-world regex, I believe the first part is important just to disable the match cache. ``` $ ruby -e 'Regexp.new("d()*+|a*a*bc", timeout: 0.2) === "b" + "a"*800' double free or corruption (!prev) ``` https://github.com/ruby/ruby/pull/12030 -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/