Issue #20453 has been updated by dodecadaniel (Daniel Colson).
I opened
https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so
please correct me if I got something wrong!
----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453#change-108107
* Author: dodecadaniel (Daniel Colson)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but
`stk_base` is sometimes stack allocated ([see
`xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)).
So the free only works if the regex stack grows enough that it needs to double ([see
`xmalloc` and `xrealloc` in
`stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).
Reproduction:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that
version as well.
--
https://bugs.ruby-lang.org/