push
github
Fix predict_next() in parser (again). Reported by Sergey Bronnikov. (cherry picked from commit 309fb42b8) The following Lua snippet triggers out-of-boundary access to a stack: ``` a, b, c = 1, 2, 3 local d for _ in nil do end ``` During the execution of this snippet with LuaJIT instrumented by ASAN, it leads to a heap-based buffer overflow. In function `predict_next()` variable `exprpc` looks forward and expects extra bytecodes on the stack. However, `KPRI` is merged to `KNIL` and there is no new bytecode to add, so `exprpc == fs->bclim`, and it leads to out-of-boundary access. Issue has been fixed by an early return when `pc >= fs->bclim`. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Reviewed-by: Sergey Kaplun <skaplun@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org>
5333 of 5969 branches covered (0.0%)
Branch coverage included in aggregate %.
20437 of 23287 relevant lines covered (87.76%)
1295914.01 hits per line