Fix regex timeout double-free after stack_double

As of 10574857ce167869524b97ee862b610928f6272f, it's possible to crash on a double free due to `stk_alloc` AKA `msa->stack_p` being freed twice, once at the end of match_at and a second time in `FREE_MATCH_ARG` in the parent caller. Fixes [Bug #20886]
author: John Hawthorn <[email protected]> 2024-11-04 18:05:59 -0800
committer: John Hawthorn <[email protected]> 2024-11-11 23:33:21 -0800
commit: 8409edc4971f34cf0d77c375909c5b8f7b1e058a (patch)
tree: 7f3e5dd2cf5d8b7d607526e8764ac51e197a195f /regexec.c
parent: a6fdd8883cab6b31357552db8a64cfb335678172 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/regexec.c b/regexec.c
index 1039bd2ba1..8245678355 100644
--- a/regexec.c
+++ b/regexec.c
@@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   return ONIGERR_UNEXPECTED_BYTECODE;
 
  timeout:
+  STACK_SAVE;
   xfree(xmalloc_base);
-  if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
-      xfree(stk_base);
   return ONIGERR_TIMEOUT;
 }
author	John Hawthorn <[email protected]>	2024-11-04 18:05:59 -0800
committer	John Hawthorn <[email protected]>	2024-11-11 23:33:21 -0800
commit	8409edc4971f34cf0d77c375909c5b8f7b1e058a (patch)
tree	7f3e5dd2cf5d8b7d607526e8764ac51e197a195f /regexec.c
parent	a6fdd8883cab6b31357552db8a64cfb335678172 (diff)