Fix regex match cache out-of-bounds access

Previously the following read and wrote 1 byte out-of-bounds: $ valgrind ruby -e 'p /(\W+)[bx]\?/i.match? "aaaaaa aaaaaaaaa aaaa aaaaaaaa aaa aaaaxaaaaaaaaaaa aaaaa aaaaaaaaaaaa a ? aaa aaaa a ?"' 2> >(grep Invalid -A 30) Because of the `match_cache_point_index + 1` in memoize_extended_match_cache_point() and check_extended_match_cache_point(), we need one more byte of space.
author: Alan Wu <XrXr@users.noreply.github.com> 2023-11-15 16:09:59 -0500
committer: Jean Boussier <jean.boussier@gmail.com> 2023-11-16 10:23:15 +0100
commit: 9786b909f96804df50ed2ff0be0ef8c6eead4132 (patch)
tree: 4e6c15a7fbfbf61daced5899539197cd435aebec /regexec.c
parent: c65bb5a0f8a083e9a3fd7cec542ef7e494edfc48 (diff)
download: ruby-9786b909f96804df50ed2ff0be0ef8c6eead4132.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/regexec.c b/regexec.c
index f841fbffb5..4b02e7f9b5 100644
--- a/regexec.c
+++ b/regexec.c
@@ -4092,7 +4092,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 	  if (num_match_cache_points >= LONG_MAX_LIMIT) {
 	    return ONIGERR_MEMORY;
 	  }
-	  size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0);
+	  size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0) + 1;
 	  uint8_t* match_cache_buf = (uint8_t*)xmalloc(match_cache_buf_length * sizeof(uint8_t));
 	  if (match_cache_buf == NULL) {
 	    return ONIGERR_MEMORY;
author	Alan Wu <XrXr@users.noreply.github.com>	2023-11-15 16:09:59 -0500
committer	Jean Boussier <jean.boussier@gmail.com>	2023-11-16 10:23:15 +0100
commit	9786b909f96804df50ed2ff0be0ef8c6eead4132 (patch)
tree	4e6c15a7fbfbf61daced5899539197cd435aebec /regexec.c
parent	c65bb5a0f8a083e9a3fd7cec542ef7e494edfc48 (diff)
download	ruby-9786b909f96804df50ed2ff0be0ef8c6eead4132.tar.gz