From 8409edc4971f34cf0d77c375909c5b8f7b1e058a Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Mon, 4 Nov 2024 18:05:59 -0800
Subject: Fix regex timeout double-free after stack_double

As of 10574857ce167869524b97ee862b610928f6272f, it's possible to crash
on a double free due to `stk_alloc` AKA `msa->stack_p` being freed
twice, once at the end of match_at and a second time in `FREE_MATCH_ARG`
in the parent caller.

Fixes [Bug #20886]
---
 regexec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'regexec.c')

diff --git a/regexec.c b/regexec.c
index 1039bd2ba1..8245678355 100644
--- a/regexec.c
+++ b/regexec.c
@@ -4217,9 +4217,8 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   return ONIGERR_UNEXPECTED_BYTECODE;
 
  timeout:
+  STACK_SAVE;
   xfree(xmalloc_base);
-  if (stk_base != stk_alloc || IS_NOT_NULL(msa->stack_p))
-      xfree(stk_base);
   return ONIGERR_TIMEOUT;
 }
 
-- 
cgit v1.2.3