1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
$NetBSD: patch-bugzilla288688,v 1.1 2005/04/07 23:48:36 taya Exp $
diff -ru ../Orig/mozilla/js/src/jsstr.c ./js/src/jsstr.c
--- ../Orig/mozilla/js/src/jsstr.c 2003-12-22 15:13:07.000000000 +0900
+++ ./js/src/jsstr.c 2005-04-06 23:33:09.000000000 +0900
@@ -1378,11 +1378,17 @@
JSBool ok;
/*
- * Save the rightContext from the current regexp, since it
- * gets stuck at the end of the replacement string and may
- * be clobbered by a RegExp usage in the lambda function.
+ * Save the regExpStatics from the current regexp, since they may be
+ * clobbered by a RegExp usage in the lambda function. Note that all
+ * members of JSRegExpStatics are JSSubStrings, so not GC roots, save
+ * input, which is rooted otherwise via argv[-1] in str_replace.
+ *
+ * We need to clear moreParens in the top-of-stack cx->regExpStatics
+ * to it won't be possibly realloc'ed, leaving the bottom-of-stack
+ * moreParens pointing to freed memory.
*/
- JSSubString saveRightContext = cx->regExpStatics.rightContext;
+ JSRegExpStatics save = cx->regExpStatics;
+ cx->regExpStatics.moreParens = NULL;
/*
* In the lambda case, not only do we find the replacement string's
@@ -1460,7 +1466,9 @@
lambda_out:
js_FreeStack(cx, mark);
- cx->regExpStatics.rightContext = saveRightContext;
+ if (cx->regExpStatics.moreParens)
+ JS_free(cx, cx->regExpStatics.moreParens);
+ cx->regExpStatics = save;
return ok;
}
#endif /* JS_HAS_REPLACE_LAMBDA */
|