From ea940cc4dcff8d6c345d7015eda0bf06671f87e9 Mon Sep 17 00:00:00 2001 From: nobu Date: Mon, 20 Feb 2017 09:46:12 +0000 Subject: regparse.c: initialize return values * regparse.c (parse_char_class): initialize return values before depth limit check. returned values will be freed in callers regardless the error. [ruby-core:79624] [Bug #13234] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57660 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/-test-/regexp/extconf.rb | 3 +++ ext/-test-/regexp/init.c | 11 +++++++++++ ext/-test-/regexp/parse_depth_limit.c | 23 +++++++++++++++++++++++ regparse.c | 2 +- test/ruby/test_regexp.rb | 19 +++++++++++++++++++ 5 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 ext/-test-/regexp/extconf.rb create mode 100644 ext/-test-/regexp/init.c create mode 100644 ext/-test-/regexp/parse_depth_limit.c diff --git a/ext/-test-/regexp/extconf.rb b/ext/-test-/regexp/extconf.rb new file mode 100644 index 0000000000..ca51178a18 --- /dev/null +++ b/ext/-test-/regexp/extconf.rb @@ -0,0 +1,3 @@ +# frozen_string_literal: false +require_relative "../auto_ext.rb" +auto_ext diff --git a/ext/-test-/regexp/init.c b/ext/-test-/regexp/init.c new file mode 100644 index 0000000000..906abe940f --- /dev/null +++ b/ext/-test-/regexp/init.c @@ -0,0 +1,11 @@ +#include "ruby.h" + +#define init(n) {void Init_##n(VALUE klass); Init_##n(klass);} + +void +Init_regexp(void) +{ + VALUE mBug = rb_define_module("Bug"); + VALUE klass = rb_define_class_under(mBug, "Regexp", rb_cRegexp); + TEST_INIT_FUNCS(init); +} diff --git a/ext/-test-/regexp/parse_depth_limit.c b/ext/-test-/regexp/parse_depth_limit.c new file mode 100644 index 0000000000..8e08a5c789 --- /dev/null +++ b/ext/-test-/regexp/parse_depth_limit.c @@ -0,0 +1,23 @@ +#include +#include + +static VALUE +get_parse_depth_limit(VALUE self) +{ + unsigned int depth = onig_get_parse_depth_limit(); + return UINT2NUM(depth); +} + +static VALUE +set_parse_depth_limit(VALUE self, VALUE depth) +{ + onig_set_parse_depth_limit(NUM2UINT(depth)); + return depth; +} + +void +Init_parse_depth_limit(VALUE klass) +{ + rb_define_singleton_method(klass, "parse_depth_limit", get_parse_depth_limit, 0); + rb_define_singleton_method(klass, "parse_depth_limit=", set_parse_depth_limit, 1); +} diff --git a/regparse.c b/regparse.c index a2d2fcf6a7..1e0dfd99bb 100644 --- a/regparse.c +++ b/regparse.c @@ -4572,11 +4572,11 @@ parse_char_class(Node** np, Node** asc_np, OnigToken* tok, UChar** src, UChar* e enum CCVALTYPE val_type, in_type; int val_israw, in_israw; + *np = *asc_np = NULL_NODE; env->parse_depth++; if (env->parse_depth > ParseDepthLimit) return ONIGERR_PARSE_DEPTH_LIMIT_OVER; prev_cc = asc_prev_cc = (CClassNode* )NULL; - *np = *asc_np = NULL_NODE; r = fetch_token_in_cc(tok, src, end, env); if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) { neg = 1; diff --git a/test/ruby/test_regexp.rb b/test/ruby/test_regexp.rb index a9120149c5..112af60c96 100644 --- a/test/ruby/test_regexp.rb +++ b/test/ruby/test_regexp.rb @@ -1198,6 +1198,25 @@ class TestRegexp < Test::Unit::TestCase RUBY end + def test_invalid_free_at_parse_depth_limit_over + assert_separately([], "#{<<-"begin;"}\n#{<<-"end;"}") + begin; + begin + require '-test-/regexp' + rescue LoadError + else + bug = '[ruby-core:79624] [Bug #13234]' + Bug::Regexp.parse_depth_limit = 10 + src = "[" * 100 + 3.times do + assert_raise_with_message(RegexpError, /parse depth limit over/, bug) do + Regexp.new(src) + end + end + end + end; + end + # This assertion is for porting x2() tests in testpy.py of Onigmo. def assert_match_at(re, str, positions, msg = nil) re = Regexp.new(re) unless re.is_a?(Regexp) -- cgit v1.2.3