Details
Description
when I run the following test code my application crashes on the second regEx.matches call:
{
XMLBuffer optionsBuf;
optionsBuf.append('i');
optionsBuf.append('H');
RegularExpression regEx(L"^\\W*Excel
W*$", optionsBuf.getRawBuffer());
regEx.matches("Excel");
}
{
XMLBuffer optionsBuf;
optionsBuf.append('i');
optionsBuf.append('H');
RegularExpression regEx(L"^\\W*Excel
W*$", optionsBuf.getRawBuffer());
regEx.matches("Excel");
}
some details I found during debugging:
- there is an instance of RangeToken where I have no idea where this is created. I've set a breakpoint in the constructor but the debugger does not stop.
- when RangeToken::getCaseInsensitiveToken is called a new RangeToken is created and stored in fCaseIToken
- when parsing is finished the newly created RangeToken is deleted (through ~RegularExpression -> ~TokenFactory), but the original RangeToken (where I don't know where it is created) still exists and references the deleted RangeToken in fCaseIToken
- the next time RangeToken::getCaseInsensitiveToken is called the invalid reference fCaseIToken is returned and this leads to a crash when it is accessed.