ruby-dev (Japanese) list archive (unofficial mirror)
 help / color / mirror / Atom feed
* [ruby-dev:52056]  [Ruby master Bug#19537] Regexp caching algorithm since v3.2.0 causes invalid memory access
       [not found] <redmine.issue-19537.20230317143612.52759@ruby-lang.org>
@ 2023-10-25 23:54 ` jeremyevans0 (Jeremy Evans) via ruby-dev
  0 siblings, 0 replies; only message in thread
From: jeremyevans0 (Jeremy Evans) via ruby-dev @ 2023-10-25 23:54 UTC (permalink / raw)
  To: ruby-dev; +Cc: jeremyevans0 (Jeremy Evans)

Issue #19537 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Closed

Fixed in commit:a1c2c274eebcc2a5275b677ebf94a8dbff380770

----------------------------------------
Bug #19537: Regexp caching algorithm since v3.2.0 causes invalid memory access
https://bugs.ruby-lang.org/issues/19537#change-105083

* Author: jj1uzh (Futa Miyachi)
* Status: Closed
* Priority: Normal
* Assignee: make_now_just (Hiroya Fujinami)
* ruby -v: ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux]
* Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
Some types of regular expressions causes invalid memory access on `#match`. Length of strings to match does not matter.
For example, for regex `/^([ab]{1,3})(a?)*$/`, `"aac"` can crash ruby.

This bug may be caused in caching algorithm since v3.2.0.
v3.1.3 is safe as far as I checked.

Environments:
Linux 6.2.6-arch1-1 x86-64, 16GB RAM

Reproduce Process:
```
$> ruby -e 'p /^([ab]{1,3})(a?)*$/.match "aac"'
-e:1: [BUG] Segmentation fault at 0x0000560315993d90
ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux]
...
```
Whole output is attached as output.txt.
Note that result may be  `nil` correctly sometimes.

Part of backtrace:
```
#5  0x000055ff30b71ecb in sigsegv (sig=11, info=0x55ff31bd0e70, ctx=0x55ff31bd0d40) at ../signal.c:964
#6  <signal handler called>
#7  reset_match_cache (num_cache_table=<optimized out>, num_cache_size=3, table=0x55ff31e2d930, match_cache=0x55ff31e2aec0 "\300\f", pos=2, pend=<optimized out>, pbegin=0x55ff31dc7202 ">\030", reg=0x55ff31e199b0) at ../regexec.c:1292
#8  match_at (reg=reg@entry=0x55ff31e199b0, str=str@entry=0x7fb176c7f148 "aac", end=<optimized out>, end@entry=0x7fb176c7f14b "", sstart=sstart@entry=0x7fb176c7f148 "aac", sprev=<optimized out>, msa=msa@entry=0x7ffe40153d30)
    at ../regexec.c:3486
```

---Files--------------------------------
output.txt (17.4 KB)
ruby-19537.patch (1.77 KB)


-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-10-25 23:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <redmine.issue-19537.20230317143612.52759@ruby-lang.org>
2023-10-25 23:54 ` [ruby-dev:52056] [Ruby master Bug#19537] Regexp caching algorithm since v3.2.0 causes invalid memory access jeremyevans0 (Jeremy Evans) via ruby-dev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).