* [ruby-dev:52056] [Ruby master Bug#19537] Regexp caching algorithm since v3.2.0 causes invalid memory access
[not found] <redmine.issue-19537.20230317143612.52759@ruby-lang.org>
@ 2023-10-25 23:54 ` jeremyevans0 (Jeremy Evans) via ruby-dev
0 siblings, 0 replies; only message in thread
From: jeremyevans0 (Jeremy Evans) via ruby-dev @ 2023-10-25 23:54 UTC (permalink / raw)
To: ruby-dev; +Cc: jeremyevans0 (Jeremy Evans)
Issue #19537 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Closed
Fixed in commit:a1c2c274eebcc2a5275b677ebf94a8dbff380770
----------------------------------------
Bug #19537: Regexp caching algorithm since v3.2.0 causes invalid memory access
https://bugs.ruby-lang.org/issues/19537#change-105083
* Author: jj1uzh (Futa Miyachi)
* Status: Closed
* Priority: Normal
* Assignee: make_now_just (Hiroya Fujinami)
* ruby -v: ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux]
* Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
Some types of regular expressions causes invalid memory access on `#match`. Length of strings to match does not matter.
For example, for regex `/^([ab]{1,3})(a?)*$/`, `"aac"` can crash ruby.
This bug may be caused in caching algorithm since v3.2.0.
v3.1.3 is safe as far as I checked.
Environments:
Linux 6.2.6-arch1-1 x86-64, 16GB RAM
Reproduce Process:
```
$> ruby -e 'p /^([ab]{1,3})(a?)*$/.match "aac"'
-e:1: [BUG] Segmentation fault at 0x0000560315993d90
ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux]
...
```
Whole output is attached as output.txt.
Note that result may be `nil` correctly sometimes.
Part of backtrace:
```
#5 0x000055ff30b71ecb in sigsegv (sig=11, info=0x55ff31bd0e70, ctx=0x55ff31bd0d40) at ../signal.c:964
#6 <signal handler called>
#7 reset_match_cache (num_cache_table=<optimized out>, num_cache_size=3, table=0x55ff31e2d930, match_cache=0x55ff31e2aec0 "\300\f", pos=2, pend=<optimized out>, pbegin=0x55ff31dc7202 ">\030", reg=0x55ff31e199b0) at ../regexec.c:1292
#8 match_at (reg=reg@entry=0x55ff31e199b0, str=str@entry=0x7fb176c7f148 "aac", end=<optimized out>, end@entry=0x7fb176c7f14b "", sstart=sstart@entry=0x7fb176c7f148 "aac", sprev=<optimized out>, msa=msa@entry=0x7ffe40153d30)
at ../regexec.c:3486
```
---Files--------------------------------
output.txt (17.4 KB)
ruby-19537.patch (1.77 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-10-25 23:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-19537.20230317143612.52759@ruby-lang.org>
2023-10-25 23:54 ` [ruby-dev:52056] [Ruby master Bug#19537] Regexp caching algorithm since v3.2.0 causes invalid memory access jeremyevans0 (Jeremy Evans) via ruby-dev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).