6 files changed, 61 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 9559168c31..3d91c0684c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,23 @@
+Tue Aug 19 23:31:48 2014  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
+
+	merge r46831 partially. extracted commits are as follows.
+	https://github.com/k-takata/Onigmo/commit/b9fba1dc63ccb42a86e934011b468e6022fabb74
+	https://github.com/k-takata/Onigmo/commit/c1fc76b9bd463948ffc5058bc352bf93732f0314
+	https://github.com/k-takata/Onigmo/commit/a0efc0a200f7108ca3d5ac3039c8f952e0051619
+	https://github.com/k-takata/Onigmo/commit/c7cda4ed5676167b0d01bb5555724f6164fbdb13
+	[Bug #8716]
+
+	* include/ruby/oniguruma.h (ONIG_MAX_CAPTURE_GROUP_NUM,
+	  ONIGERR_TOO_MANY_CAPTURE_GROUPS): add cheking the number of capture
+	  groups.
+
+	* regerror.c (onig_error_code_to_format): ditto.
+
+	* regparse.c (scan_env_add_mem_entry): ditto.
+
+	* regexec.c (onig_region_copy, match_at): fix: segmation fault occurs
+	  when many groups are used.
+
 Mon Aug 18 23:38:21 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* encoding.c (enc_find): [DOC] never accepted a symbol.
diff --git a/include/ruby/oniguruma.h b/include/ruby/oniguruma.h
index 6a26ee4aaa..d533a05b66 100644
--- a/include/ruby/oniguruma.h
+++ b/include/ruby/oniguruma.h
@@ -338,6 +338,7 @@ int onigenc_str_bytelen_null P_((OnigEncoding enc, const OnigUChar* p));
 /* config parameters */
 #define ONIG_NREGION                          10
 #define ONIG_MAX_BACKREF_NUM                1000
+#define ONIG_MAX_CAPTURE_GROUP_NUM         32767
 #define ONIG_MAX_REPEAT_NUM               100000
 #define ONIG_MAX_MULTI_BYTE_RANGES_NUM     10000
 /* constants */
@@ -582,6 +583,7 @@ ONIG_EXTERN const OnigSyntaxType*   OnigDefaultSyntax;
 #define ONIGERR_NEVER_ENDING_RECURSION                       -221
 #define ONIGERR_GROUP_NUMBER_OVER_FOR_CAPTURE_HISTORY        -222
 #define ONIGERR_INVALID_CHAR_PROPERTY_NAME                   -223
+#define ONIGERR_TOO_MANY_CAPTURE_GROUPS                      -224
 #define ONIGERR_INVALID_CODE_POINT_VALUE                     -400
 #define ONIGERR_INVALID_WIDE_CHAR_VALUE                      -400
 #define ONIGERR_TOO_BIG_WIDE_CHAR_VALUE                      -401
diff --git a/regerror.c b/regerror.c
index 9c94d23018..d32b50d12b 100644
--- a/regerror.c
+++ b/regerror.c
@@ -133,6 +133,8 @@ onig_error_code_to_format(OnigPosition code)
     p = "too short multibyte code string"; break;
   case ONIGERR_TOO_BIG_BACKREF_NUMBER:
     p = "too big backref number"; break;
+  case ONIGERR_TOO_MANY_CAPTURE_GROUPS:
+    p = "too many capture groups are specified"; break;
   case ONIGERR_INVALID_BACKREF:
 #ifdef USE_NAMED_GROUP
     p = "invalid backref number/name"; break;
diff --git a/regexec.c b/regexec.c
index 997849695e..973d3eac00 100644
--- a/regexec.c
+++ b/regexec.c
@@ -444,9 +444,26 @@ onig_region_copy(OnigRegion* to, OnigRegion* from)
 
 
 
-#define STACK_INIT(alloc_addr, ptr_num, stack_num)  do {\
-  if (msa->stack_p) {\
+#define MAX_PTR_NUM 100
+
+#define STACK_INIT(alloc_addr, heap_addr, ptr_num, stack_num)  do {\
+  if (ptr_num > MAX_PTR_NUM) {\
+    alloc_addr = (char* )xmalloc(sizeof(OnigStackIndex) * (ptr_num));\
+    heap_addr  = alloc_addr;\
+    if (msa->stack_p) {\
+      stk_alloc = (OnigStackType* )(msa->stack_p);\
+      stk_base  = stk_alloc;\
+      stk       = stk_base;\
+      stk_end   = stk_base + msa->stack_n;\
+    } else {\
+      stk_alloc = (OnigStackType* )xalloca(sizeof(OnigStackType) * (stack_num));\
+      stk_base  = stk_alloc;\
+      stk       = stk_base;\
+      stk_end   = stk_base + (stack_num);\
+    }\
+  } else if (msa->stack_p) {\
     alloc_addr = (char* )xalloca(sizeof(OnigStackIndex) * (ptr_num));\
+    heap_addr  = NULL;\
     stk_alloc  = (OnigStackType* )(msa->stack_p);\
     stk_base   = stk_alloc;\
     stk        = stk_base;\
@@ -455,6 +472,7 @@ onig_region_copy(OnigRegion* to, OnigRegion* from)
   else {\
     alloc_addr = (char* )xalloca(sizeof(OnigStackIndex) * (ptr_num)\
 		       + sizeof(OnigStackType) * (stack_num));\
+    heap_addr  = NULL;\
     stk_alloc  = (OnigStackType* )(alloc_addr + sizeof(OnigStackIndex) * (ptr_num));\
     stk_base   = stk_alloc;\
     stk        = stk_base;\
@@ -529,7 +547,11 @@ stack_double(OnigStackType** arg_stk_base, OnigStackType** arg_stk_end,
 #define STACK_ENSURE(n)	do {\
   if (stk_end - stk < (n)) {\
     int r = stack_double(&stk_base, &stk_end, &stk, stk_alloc, msa);\
-    if (r != 0) { STACK_SAVE; return r; } \
+    if (r != 0) {\
+      STACK_SAVE;\
+      if (xmalloc_base) xfree(xmalloc_base);\
+      return r;\
+    }\
   }\
 } while(0)
 
@@ -1325,6 +1347,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   UChar *p = reg->p;
   UChar *pkeep;
   char *alloca_base;
+  char *xmalloc_base = NULL;
   OnigStackType *stk_alloc, *stk_base, *stk, *stk_end;
   OnigStackType *stkp; /* used as any purpose. */
   OnigStackIndex si;
@@ -1340,7 +1363,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   /* Stack #0 is used to store the pattern itself and used for (?R), \g<0>, etc. */
   n = reg->num_repeat + (reg->num_mem + 1) * 2;
 
-  STACK_INIT(alloca_base, n, INIT_MATCH_STACK_SIZE);
+  STACK_INIT(alloca_base, xmalloc_base, n, INIT_MATCH_STACK_SIZE);
   pop_level = reg->stack_pop_level;
   num_mem = reg->num_mem;
   repeat_stk = (OnigStackIndex* )alloca_base;
@@ -1354,7 +1377,7 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
   /* Stack #0 not is used. */
   n = reg->num_repeat + reg->num_mem * 2;
 
-  STACK_INIT(alloca_base, n, INIT_MATCH_STACK_SIZE);
+  STACK_INIT(alloca_base, xmalloc_base, n, INIT_MATCH_STACK_SIZE);
   pop_level = reg->stack_pop_level;
   num_mem = reg->num_mem;
   repeat_stk = (OnigStackIndex* )alloca_base;
@@ -2916,20 +2939,24 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
 
  finish:
   STACK_SAVE;
+  if (xmalloc_base) xfree(xmalloc_base);
   return best_len;
 
 #ifdef ONIG_DEBUG
  stack_error:
   STACK_SAVE;
+  if (xmalloc_base) xfree(xmalloc_base);
   return ONIGERR_STACK_BUG;
 #endif
 
  bytecode_error:
   STACK_SAVE;
+  if (xmalloc_base) xfree(xmalloc_base);
   return ONIGERR_UNDEFINED_BYTECODE;
 
  unexpected_bytecode_error:
   STACK_SAVE;
+  if (xmalloc_base) xfree(xmalloc_base);
   return ONIGERR_UNEXPECTED_BYTECODE;
 }
 
diff --git a/regparse.c b/regparse.c
index 774ee0a960..fac79a311b 100644
--- a/regparse.c
+++ b/regparse.c
@@ -978,6 +978,8 @@ scan_env_add_mem_entry(ScanEnv* env)
   Node** p;
 
   need = env->num_mem + 1;
+  if (need > ONIG_MAX_CAPTURE_GROUP_NUM)
+    return ONIGERR_TOO_MANY_CAPTURE_GROUPS;
   if (need >= SCANENV_MEMNODES_SIZE) {
     if (env->mem_alloc <= need) {
       if (IS_NULL(env->mem_nodes_dynamic)) {
diff --git a/version.h b/version.h
index e8289d9140..372698234e 100644
--- a/version.h
+++ b/version.h
@@ -1,10 +1,10 @@
 #define RUBY_VERSION "2.1.2"
-#define RUBY_RELEASE_DATE "2014-08-18"
-#define RUBY_PATCHLEVEL 202
+#define RUBY_RELEASE_DATE "2014-08-20"
+#define RUBY_PATCHLEVEL 203
 
 #define RUBY_RELEASE_YEAR 2014
 #define RUBY_RELEASE_MONTH 8
-#define RUBY_RELEASE_DAY 18
+#define RUBY_RELEASE_DAY 20
 
 #include "ruby/version.h"