From 9634ca556ef647f1b993d0f391c4899f97b24c62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A1niel=20B=C3=A1tyai?= <dbatyai@inf.u-szeged.hu>
Date: Tue, 3 Dec 2019 09:34:54 +0100
Subject: [PATCH] Fix leaking char buffer in RegExp.prototype[@@replace]
 (#3400)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #3392.

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai@inf.u-szeged.hu
---
 jerry-core/ecma/operations/ecma-regexp-object.c | 3 ++-
 tests/jerry/es2015/symbol-replace.js            | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/jerry-core/ecma/operations/ecma-regexp-object.c b/jerry-core/ecma/operations/ecma-regexp-object.c
index 1d27b061e..3005a301a 100644
--- a/jerry-core/ecma/operations/ecma-regexp-object.c
+++ b/jerry-core/ecma/operations/ecma-regexp-object.c
@@ -2220,11 +2220,12 @@ ecma_regexp_replace_helper (ecma_value_t this_arg, /**< this argument */
                                  (lit_utf8_size_t) (string_end_p - source_position_p));
 
   result = ecma_make_string_value (ecma_stringbuilder_finalize (&replace_ctx.builder));
-  goto cleanup_results;
+  goto cleanup_chars;
 
 cleanup_builder:
   ecma_stringbuilder_destroy (&replace_ctx.builder);
 
+cleanup_chars:
   if (string_flags & ECMA_STRING_FLAG_MUST_BE_FREED)
   {
     jmem_heap_free_block ((void *) replace_ctx.string_p, replace_ctx.string_size);
diff --git a/tests/jerry/es2015/symbol-replace.js b/tests/jerry/es2015/symbol-replace.js
index dc9cdce5c..976192b9c 100644
--- a/tests/jerry/es2015/symbol-replace.js
+++ b/tests/jerry/es2015/symbol-replace.js
@@ -660,3 +660,11 @@ try {
 } catch (e) {
   assert (e === "abrupt @@replace")
 }
+
+class Regexplike2 {
+    exec() {
+        return {}
+    }
+}
+re = new Regexplike2();
+assert (replace.call (re, "1") === "undefined");