You have been subscribed to a public bug by Eric Desrochers (slashd):
[Impact]
Under certain conditions, lpeg will crash while walking the pattern tree
looking for TCapture nodes.
[Test Case]
The reproducer, taken from an upstream discussion (link in "Other
info"), is:
$ cat repro.lua
#!/usr/bin/env lua
lpeg = require "lpeg"
p = lpeg.C(-lpeg.P{lpeg.P'x' * lpeg.V(1) + lpeg.P'y'})
p:match("xx")
The program crashes due to a hascaptures() infinite recursion:
$ ./repro.lua
Segmentation fault (core dumped)
(gdb) bt -25
#523984 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523985 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523986 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523987 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523988 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523989 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523990 0x00007ffff7a3815c in ?? () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523991 0x00007ffff7a388e3 in compile () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523992 0x00007ffff7a36fab in ?? () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
#523993 0x000055555555fd1e in ?? ()
#523994 0x000055555556a5fc in ?? ()
#523995 0x00005555555600c8 in ?? ()
#523996 0x000055555555f63f in ?? ()
#523997 0x000055555556030f in ?? ()
#523998 0x000055555555dc91 in lua_pcallk ()
#523999 0x000055555555b896 in ?? ()
#524000 0x000055555555c54b in ?? ()
#524001 0x000055555555fd1e in ?? ()
#524002 0x0000555555560092 in ?? ()
#524003 0x000055555555f63f in ?? ()
#524004 0x000055555556030f in ?? ()
#524005 0x000055555555dc91 in lua_pcallk ()
#524006 0x000055555555b64b in ?? ()
#524007 0x00007ffff7c94bbb in __libc_start_main (main=0x55555555b5f0, argc=2,
argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8)
at ../csu/libc-start.c:308
#524008 0x000055555555b70a in ?? ()
The expected behavior is to have the program finish normally
[Regression potential]
Low, this is a backport from upstream and only limits the infinite recursion in
a scenario where it shouldn't happen to begin with (TCapture node search).
[Other info]
This was fixed upstream in 1.0.1 by stopping the recursion in TCall
nodes and controlling that TRule nodes do not follow siblings (sib2)
The upstream discussion can be found here:
http://lua.2524044.n2.nabble.com/LPeg-intermittent-stack-exhaustion-
td7674831.html
My analysis can be found here:
http://pastebin.ubuntu.com/p/n4824ftZt9/plain/
[Original description]
The Ubuntu Error Tracker has been receiving reports about a problem
regarding nmap. This problem was most recently seen with version
7.01-2ubuntu2, the problem page at
https://errors.ubuntu.com/problem/5e852236a443bab0279d47c8a9b7e55802bfb46f
contains more details.
** Affects: lua-lpeg (Ubuntu)
Importance: Undecided
Status: New
** Affects: lua-lpeg (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: lua-lpeg (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: lua-lpeg (Ubuntu Disco)
Importance: Undecided
Status: New
** Affects: lua-lpeg (Ubuntu Eoan)
Importance: Undecided
Status: New
** Affects: lua-lpeg (Debian)
Importance: Unknown
Status: Unknown
** Tags: sts wily xenial yakkety
--
/usr/bin/nmap:11:hascaptures:hascaptures:hascaptures:hascaptures:hascaptures
https://bugs.launchpad.net/bugs/1580385
You received this bug notification because you are a member of STS Sponsors,
which is subscribed to the bug report.
--
Mailing list: https://launchpad.net/~sts-sponsors
Post to : sts-sponsors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~sts-sponsors
More help : https://help.launchpad.net/ListHelp
