tarantool / luajit / 6109128487 / 1

88%

tarantool/master: 93%

push

github

Fix predict_next() in parser (again).

Reported by Sergey Bronnikov.

(cherry picked from commit 309fb42b8)

The following Lua snippet triggers out-of-boundary access to a stack:

```
a, b, c = 1, 2, 3
local d
for _ in nil do end
```

During the execution of this snippet with LuaJIT instrumented by ASAN,
it leads to a heap-based buffer overflow.

In function `predict_next()` variable `exprpc` looks forward and expects
extra bytecodes on the stack. However, `KPRI` is merged to `KNIL` and
there is no new bytecode to add, so `exprpc == fs->bclim`, and it leads
to out-of-boundary access. Issue has been fixed by an early return when
`pc >= fs->bclim`.

Sergey Bronnikov:
* added the description and the test for the problem

Part of tarantool/tarantool#8825

5335 of 5969 branches covered (0.0%)

Branch coverage included in aggregate %.

20459 of 23287 relevant lines covered (87.86%)

1285815.48 hits per line