bug: expression list with four or more expressions in

a 'for' loop can crash the interpreter.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2016-06-21 14:22:34 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2016-06-21 14:22:34 -0300
commit: fac00ca023c16f6d06beec502e8320017e3c6af2 (patch)
tree: 255d360243a0ecccbf20ceb6ede05a783a2a2b98
parent: 6487fb11fcae97b6cb7d06e32063fd786b35874c (diff)
download: lua-fac00ca023c16f6d06beec502e8320017e3c6af2.tar.gz
lua-fac00ca023c16f6d06beec502e8320017e3c6af2.tar.bz2
lua-fac00ca023c16f6d06beec502e8320017e3c6af2.zip
1 files changed, 39 insertions, 0 deletions
diff --git a/bugs b/bugs
index eb439c8b..d0f9ad1e 100644
--- a/bugs
+++ b/bugs
@@ -3602,6 +3602,45 @@ patch = [[
 }
+Bug{
+what = [[expression list with four or more expressions in
+a 'for' loop can crash the interpreter]],
+report = [[Marco Schöpl, 2016/06/17]],
+since = [[5.2]],
+fix = nil,
+example = [[
+-- the next loop will probably crash the interpreter
+repeat until load "for _ in _,_,_,_ do local function _() end"
+]],
+patch = [[
+--- lparser.c   2016/05/13 19:10:16     2.153
+++ lparser.c   2016/06/17 19:52:48
+@@ -323,6 +323,8 @@
+       luaK_nil(fs, reg, extra);
+     }
+   }
+  if (nexps > nvars)
+    ls->fs->freereg -= nexps - nvars;  /* remove extra values */
+ }
+ 
+ 
+@@ -1160,11 +1162,8 @@
+     int nexps;
+     checknext(ls, '=');
+     nexps = explist(ls, &e);
+-    if (nexps != nvars) {
+    if (nexps != nvars)
+       adjust_assign(ls, nvars, nexps, &e);
+-      if (nexps > nvars)
+-        ls->fs->freereg -= nexps - nvars;  /* remove extra values */
+-    }
+     else {
+       luaK_setoneret(ls->fs, &e);  /* close last expression */
+       luaK_storevar(ls->fs, &lh->v, &e);
+]]
+}
 --[=[
 Bug{
 what = [[ ]],
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2016-06-21 14:22:34 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2016-06-21 14:22:34 -0300
commit	fac00ca023c16f6d06beec502e8320017e3c6af2 (patch)
tree	255d360243a0ecccbf20ceb6ede05a783a2a2b98
parent	6487fb11fcae97b6cb7d06e32063fd786b35874c (diff)
download	lua-fac00ca023c16f6d06beec502e8320017e3c6af2.tar.gz lua-fac00ca023c16f6d06beec502e8320017e3c6af2.tar.bz2 lua-fac00ca023c16f6d06beec502e8320017e3c6af2.zip

diff --git a/bugs b/bugs index eb439c8b..d0f9ad1e 100644 --- a/bugs +++ b/bugs
@@ -3602,6 +3602,45 @@ patch = [[
3602	}	3602	}
3603		3603
3604		3604
		3605	Bug{
		3606	what = [[expression list with four or more expressions in
		3607	a 'for' loop can crash the interpreter]],
		3608	report = [[Marco Schöpl, 2016/06/17]],
		3609	since = [[5.2]],
		3610	fix = nil,
		3611	example = [[
		3612	-- the next loop will probably crash the interpreter
		3613	repeat until load "for _ in _,_,_,_ do local function _() end"
		3614	]],
		3615	patch = [[
		3616	--- lparser.c 2016/05/13 19:10:16 2.153
		3617	+++ lparser.c 2016/06/17 19:52:48
		3618	@@ -323,6 +323,8 @@
		3619	luaK_nil(fs, reg, extra);
		3620	}
		3621	}
		3622	+ if (nexps > nvars)
		3623	+ ls->fs->freereg -= nexps - nvars; /* remove extra values */
		3624	}
		3625
		3626
		3627	@@ -1160,11 +1162,8 @@
		3628	int nexps;
		3629	checknext(ls, '=');
		3630	nexps = explist(ls, &e);
		3631	- if (nexps != nvars) {
		3632	+ if (nexps != nvars)
		3633	adjust_assign(ls, nvars, nexps, &e);
		3634	- if (nexps > nvars)
		3635	- ls->fs->freereg -= nexps - nvars; /* remove extra values */
		3636	- }
		3637	else {
		3638	luaK_setoneret(ls->fs, &e); /* close last expression */
		3639	luaK_storevar(ls->fs, &lh->v, &e);
		3640	]]
		3641	}
		3642
		3643
3605	--[=[	3644	--[=[
3606	Bug{	3645	Bug{
3607	what = [[ ]],	3646	what = [[ ]],