Fix a bug in regex

Due to dereferencing a pointer which may be invalidated
Tencent · Apr 17, 2016 · be352d9 · be352d9
1 parent 8f4e99b
commit be352d9
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/include/rapidjson/internal/regex.h b/include/rapidjson/internal/regex.h
@@ -468,17 +468,17 @@ class GenericRegex {
     static SizeType Min(SizeType a, SizeType b) { return a < b ? a : b; }
 
     void CloneTopOperand(Stack<Allocator>& operandStack) {
-        const Frag *src = operandStack.template Top<Frag>();
-        SizeType count = stateCount_ - src->minIndex; // Assumes top operand contains states in [src->minIndex, stateCount_)
+        const Frag src = *operandStack.template Top<Frag>(); // Copy constructor to prevent invalidation
+        SizeType count = stateCount_ - src.minIndex; // Assumes top operand contains states in [src->minIndex, stateCount_)
         State* s = states_.template Push<State>(count);
-        memcpy(s, &GetState(src->minIndex), count * sizeof(State));
+        memcpy(s, &GetState(src.minIndex), count * sizeof(State));
         for (SizeType j = 0; j < count; j++) {
             if (s[j].out != kRegexInvalidState)
                 s[j].out += count;
             if (s[j].out1 != kRegexInvalidState)
                 s[j].out1 += count;
         }
-        *operandStack.template Push<Frag>() = Frag(src->start + count, src->out + count, src->minIndex + count);
+        *operandStack.template Push<Frag>() = Frag(src.start + count, src.out + count, src.minIndex + count);
         stateCount_ += count;
     }
 

diff --git a/test/unittest/regextest.cpp b/test/unittest/regextest.cpp
@@ -584,4 +584,9 @@ TEST(Regex, Issue538) {
     EXPECT_TRUE(re.IsValid());
 }
 
+TEST(Regex, Issue583) {
+    Regex re("[0-9]{99999}");
+    ASSERT_TRUE(re.IsValid());
+}
+
 #undef EURO