bug: expression list with four or more expressions in a 'for' loop can crash the interpreter. - lua

commit fac00ca023c16f6d06beec502e8320017e3c6af2
parent 6487fb11fcae97b6cb7d06e32063fd786b35874c
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date:   Tue, 21 Jun 2016 14:22:08 -0300

bug: expression list with four or more expressions in
a 'for' loop can crash the interpreter.

Diffstat:
M bugs  | 39 +++++++++++++++++++++++++++++++++++++++

1 file changed, 39 insertions(+), 0 deletions(-)
diff --git a/bugs b/bugs
@@ -3602,6 +3602,45 @@ patch = [[
 }
 
 
+Bug{
+what = [[expression list with four or more expressions in
+a 'for' loop can crash the interpreter]],
+report = [[Marco Schöpl, 2016/06/17]],
+since = [[5.2]],
+fix = nil,
+example = [[
+-- the next loop will probably crash the interpreter
+repeat until load "for _ in _,_,_,_ do local function _() end"
+]],
+patch = [[
+--- lparser.c	2016/05/13 19:10:16	2.153
++++ lparser.c	2016/06/17 19:52:48
+@@ -323,6 +323,8 @@
+       luaK_nil(fs, reg, extra);
+     }
+   }
++  if (nexps > nvars)
++    ls->fs->freereg -= nexps - nvars;  /* remove extra values */
+ }
+ 
+ 
+@@ -1160,11 +1162,8 @@
+     int nexps;
+     checknext(ls, '=');
+     nexps = explist(ls, &e);
+-    if (nexps != nvars) {
++    if (nexps != nvars)
+       adjust_assign(ls, nvars, nexps, &e);
+-      if (nexps > nvars)
+-        ls->fs->freereg -= nexps - nvars;  /* remove extra values */
+-    }
+     else {
+       luaK_setoneret(ls->fs, &e);  /* close last expression */
+       luaK_storevar(ls->fs, &lh->v, &e);
+]]
+}
+
+
 --[=[
 Bug{
 what = [[ ]],

	lua A copy of the Lua development repository
	Log \| Files \| Refs \| README