Issue #19537 has been updated by jeremyevans0 (Jeremy Evans). Status changed from Open to Closed Fixed in commit:a1c2c274eebcc2a5275b677ebf94a8dbff380770 ---------------------------------------- Bug #19537: Regexp caching algorithm since v3.2.0 causes invalid memory access https://bugs.ruby-lang.org/issues/19537#change-105083 * Author: jj1uzh (Futa Miyachi) * Status: Closed * Priority: Normal * Assignee: make_now_just (Hiroya Fujinami) * ruby -v: ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux] * Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN ---------------------------------------- Some types of regular expressions causes invalid memory access on `#match`. Length of strings to match does not matter. For example, for regex `/^([ab]{1,3})(a?)*$/`, `"aac"` can crash ruby. This bug may be caused in caching algorithm since v3.2.0. v3.1.3 is safe as far as I checked. Environments: Linux 6.2.6-arch1-1 x86-64, 16GB RAM Reproduce Process: ``` $> ruby -e 'p /^([ab]{1,3})(a?)*$/.match "aac"' -e:1: [BUG] Segmentation fault at 0x0000560315993d90 ruby 3.3.0dev (2023-03-17T09:50:55Z master c65d7b4bea) [x86_64-linux] ... ``` Whole output is attached as output.txt. Note that result may be `nil` correctly sometimes. Part of backtrace: ``` #5 0x000055ff30b71ecb in sigsegv (sig=11, info=0x55ff31bd0e70, ctx=0x55ff31bd0d40) at ../signal.c:964 #6 <signal handler called> #7 reset_match_cache (num_cache_table=<optimized out>, num_cache_size=3, table=0x55ff31e2d930, match_cache=0x55ff31e2aec0 "\300\f", pos=2, pend=<optimized out>, pbegin=0x55ff31dc7202 ">\030", reg=0x55ff31e199b0) at ../regexec.c:1292 #8 match_at (reg=reg@entry=0x55ff31e199b0, str=str@entry=0x7fb176c7f148 "aac", end=<optimized out>, end@entry=0x7fb176c7f14b "", sstart=sstart@entry=0x7fb176c7f148 "aac", sprev=<optimized out>, msa=msa@entry=0x7ffe40153d30) at ../regexec.c:3486 ``` ---Files-------------------------------- output.txt (17.4 KB) ruby-19537.patch (1.77 KB) -- https://bugs.ruby-lang.org/