In lib/lpeg.c, function verify:
static int verify (lua_State *L, Instruction *op, const Instruction *p,
Instruction *e, int postable, int rule) {
static const char dummy[] = "";
Stack back[MAXBACK];
int backtop = 0; /* point to first empty slot in back */
while (p != e) {
switch ((Opcode)p->i.code) {
case IRet: {
p = back[--backtop].p;
continue;
}
......
case IFunc: {
const char *r = (p+1)->f((p+2)->buff, dummy, dummy, dummy);
if (r == NULL) goto fail;
p += p->i.offset;
continue;
}
}
}
......
If (Opcode)p->i.code == IRet then array back will be accessed on index -1.
If we first enter case IFunc and then case IRet, array back will be uninitialized, and thus
p will contain garbage value.
In lib/lpeg.c, function verify:
If (Opcode)p->i.code == IRet then array back will be accessed on index -1.
If we first enter case IFunc and then case IRet, array back will be uninitialized, and thus
p will contain garbage value.