Fix handling of allocation in regex matching

`re_match_2_internal' uses pointers to the lisp objects that it
searches.  Since it may call malloc when growing the "fail stack", these
pointers may be invalidated while searching, resulting in memory
curruption (Bug #24358).

To fix this, we check the pointer that the lisp object (as specified by
re_match_object) points to before and after growing the stack, and
update existing pointers accordingly.

* src/regex.c (STR_BASE_PTR): New macro.
(ENSURE_FAIL_STACK, re_search_2): Use it to convert pointers into
offsets before possible malloc call, and back into pointers again
afterwards.
(POS_AS_IN_BUFFER): Add explanatory comment about punning trick.
* src/search.c (search_buffer): Instead of storing search location as
pointers, store them as pointers and recompute the corresponding address
for each call to `re_search_2'.
(string_match_1, fast_string_match_internal, fast_looking_at):
* src/dired.c (directory_files_internal): Set `re_match_object' to Qnil
after calling `re_search' or `re_match_2'.
* src/regex.h (re_match_object): Mention new usage in commentary.

1 files changed, 3 insertions, 1 deletions

diff --git a/src/regex.h b/src/regex.h
index 51f4424ce94..61c771c045f 100644
--- a/src/regex.h
+++ b/src/regex.h
@@ -169,7 +169,9 @@ extern reg_syntax_t re_syntax_options;
 #ifdef emacs
 # include "lisp.h"
 /* In Emacs, this is the string or buffer in which we are matching.
-   It is used for looking up syntax properties.
+   It is used for looking up syntax properties, and also to recompute
+   pointers in case the object is relocated as a side effect of
+   calling malloc (if it calls r_alloc_sbrk in ralloc.c).
 
    If the value is a Lisp string object, we are matching text in that
    string; if it's nil, we are matching text in the current buffer; if