de-fuzz: more recursive calls that require proper stack unwinding to prevent memory leaks if matching throws.

2025-07-16 13:52:17 +02:00 · 2017-02-23 09:43:22 +00:00
parent 982f3bbe45
commit c8044ffca0
1 changed files with 35 additions and 4 deletions
--- a/include/boost/regex/v4/perl_matcher_non_recursive.hpp
+++ b/include/boost/regex/v4/perl_matcher_non_recursive.hpp
@ -404,7 +404,11 @@ bool perl_matcher<BidiIterator, Allocator, traits>::match_startmark()
         m_independent = true;
         const re_syntax_base* next_pstate = static_cast<const re_jump*>(pstate->next.p)->alt.p->next.p;
         pstate = pstate->next.p->next.p;
-         bool r = match_all_states();
+         bool r = false;
+#if !defined(BOOST_NO_EXCEPTIONS)
+      try{
+#endif
+         r = match_all_states();
         if(!r && !m_independent)
         {
            // Must be unwinding from a COMMIT/SKIP/PRUNE and the independent 
@ -412,6 +416,18 @@ bool perl_matcher<BidiIterator, Allocator, traits>::match_startmark()
            while(unwind(false));
            return false;
         }
+#if !defined(BOOST_NO_EXCEPTIONS)
+      }
+      catch(...)
+      {
+         pstate = next_pstate;
+         // unwind all pushed states, apart from anything else this
+         // ensures that all the states are correctly destructed
+         // not just the memory freed.
+         while(unwind(true)) {}
+         throw;
+      }
+#endif
      pstate = next_pstate;
      m_independent = old_independent;
 #ifdef BOOST_REGEX_MATCH_EXTRA
@ -427,7 +443,22 @@ bool perl_matcher<BidiIterator, Allocator, traits>::match_startmark()
            for(i = 0; i < temp_match.size(); ++i)
               (*m_presult)[i].get_captures().clear();
            // match everything else:
+#if !defined(BOOST_NO_EXCEPTIONS)
+            try{
+#endif
               r = match_all_states();
+#if !defined(BOOST_NO_EXCEPTIONS)
+            }
+            catch(...)
+            {
+               pstate = next_pstate;
+               // unwind all pushed states, apart from anything else this
+               // ensures that all the states are correctly destructed
+               // not just the memory freed.
+               while(unwind(true)) {}
+               throw;
+            }
+#endif
         // now place the stored captures back:
            for(i = 0; i < temp_match.size(); ++i)
            {