regcomp.c: Avoid use after free

It turns out that the SV returned by re_intuit_string() may be freed by
future calls to re_intuit_start().  Thus, the caller doesn't get clear
title to the returned SV.  (This wasn't documented until the
commit immediately prior to this one.)

Cope with this situation by making a mortalized copy.  This commit also
changes to use the copy's PV directly, simplifying some 'if' statements.

re_intuit_string() is effectively in the API, as it is an element in the
regex engine structure, callable by anyone.  It should not be returning
a tenuous SV.  That returned scalar should not freed before the pattern
it is for is freed.  It is too late in the development cycle to change
this, so this workaround is presented instead for 5.32.

This fixes #17734.

1 files changed, 9 insertions, 0 deletions

diff --git a/t/re/pat_advanced.t b/t/re/pat_advanced.t
index 41f344ac9e..21bdb8ca15 100644
--- a/t/re/pat_advanced.t
+++ b/t/re/pat_advanced.t
@@ -2553,6 +2553,15 @@ EOF
                       {}, "Too large negative relative group number");
     }
 
+    {   # GH #17734, ASAN use after free
+        fresh_perl_like('no warnings "experimental::uniprop_wildcards";
+                         my $re = q<[[\p{name=/[Y-]+Z/}]]>;
+                         eval { "\N{BYZANTINE MUSICAL SYMBOL PSILI}"
+                                =~ /$re/ }; print $@ if $@; print "Done\n";',
+                         qr/Done/,
+                         {}, "GH #17734");
+    }
+
 
     # !!! NOTE that tests that aren't at all likely to crash perl should go
     # a ways above, above these last ones.  There's a comment there that, like