diff options
author | Alan Wu <XrXr@users.noreply.github.com> | 2023-11-15 16:09:59 -0500 |
---|---|---|
committer | Jean Boussier <jean.boussier@gmail.com> | 2023-11-16 10:23:15 +0100 |
commit | 9786b909f96804df50ed2ff0be0ef8c6eead4132 (patch) | |
tree | 4e6c15a7fbfbf61daced5899539197cd435aebec /regexec.c | |
parent | c65bb5a0f8a083e9a3fd7cec542ef7e494edfc48 (diff) | |
download | ruby-9786b909f96804df50ed2ff0be0ef8c6eead4132.tar.gz |
Fix regex match cache out-of-bounds access
Previously the following read and wrote 1 byte out-of-bounds:
$ valgrind ruby -e 'p /(\W+)[bx]\?/i.match? "aaaaaa aaaaaaaaa aaaa aaaaaaaa aaa aaaaxaaaaaaaaaaa aaaaa aaaaaaaaaaaa a ? aaa aaaa a ?"' 2> >(grep Invalid -A 30)
Because of the `match_cache_point_index + 1` in
memoize_extended_match_cache_point() and
check_extended_match_cache_point(), we need one more byte of space.
Diffstat (limited to 'regexec.c')
-rw-r--r-- | regexec.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -4092,7 +4092,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, if (num_match_cache_points >= LONG_MAX_LIMIT) { return ONIGERR_MEMORY; } - size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0); + size_t match_cache_buf_length = (num_match_cache_points >> 3) + (num_match_cache_points & 7 ? 1 : 0) + 1; uint8_t* match_cache_buf = (uint8_t*)xmalloc(match_cache_buf_length * sizeof(uint8_t)); if (match_cache_buf == NULL) { return ONIGERR_MEMORY; |