ref: 5c337af4b3df80cf967e4f9f6a21522de84b392a
parent: 5000749f5afe3b956fc916e407309de840997f4a
author: Tor Andersson <tor.andersson@artifex.com>
date: Wed Sep 21 12:01:08 EDT 2016
Fix bug 697142: Stale string pointer stored in regexp object. Make sure to make a copy of the source pattern string. A case we missed when adding short and memory strings to the runtime. The code assumed all strings passed to it were either literal or interned.
--- a/jsgc.c
+++ b/jsgc.c
@@ -44,8 +44,10 @@
{if (obj->head)
jsG_freeproperty(J, obj->head);
- if (obj->type == JS_CREGEXP)
+ if (obj->type == JS_CREGEXP) {+ js_free(J, obj->u.r.source);
js_regfree(obj->u.r.prog);
+ }
if (obj->type == JS_CITERATOR)
jsG_freeiterator(J, obj->u.iter.head);
if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
--- a/jsi.h
+++ b/jsi.h
@@ -79,6 +79,7 @@
/* String interning */
+char *js_strdup(js_State *J, const char *s);
const char *js_intern(js_State *J, const char *s);
void jsS_dumpstrings(js_State *J);
void jsS_freestrings(js_State *J);
--- a/jsregexp.c
+++ b/jsregexp.c
@@ -21,7 +21,7 @@
js_syntaxerror(J, "regular expression: %s", error);
obj->u.r.prog = prog;
- obj->u.r.source = pattern;
+ obj->u.r.source = js_strdup(J, pattern);
obj->u.r.flags = flags;
obj->u.r.last = 0;
js_pushobject(J, obj);
--- a/jsrun.c
+++ b/jsrun.c
@@ -45,6 +45,14 @@
return ptr;
}
+char *js_strdup(js_State *J, const char *s)
+{+ int n = strlen(s) + 1;
+ char *p = js_malloc(J, n);
+ memcpy(p, s, n);
+ return p;
+}
+
void js_free(js_State *J, void *ptr)
{J->alloc(J->actx, ptr, 0);
--- a/jsvalue.h
+++ b/jsvalue.h
@@ -71,7 +71,7 @@
struct js_Regexp
{void *prog;
- const char *source;
+ char *source;
unsigned short flags;
unsigned short last;
};