** Description changed:
+ [Impact]
+
+ Under certain conditions, lpeg will crash while walking the pattern tree
+ looking for TCapture nodes.
+
+ [Test Case]
+
+ The reproducer, taken from an upstream discussion (link in "Other
+ info"), is:
+
+ $ cat repro.lua
+ #!/usr/bin/env lua
+ lpeg = require "lpeg"
+
+ p = lpeg.C(-lpeg.P{lpeg.P'x' * lpeg.V(1) + lpeg.P'y'})
+ p:match("xx")
+
+ The program crashes due to a hascaptures() infinite recursion:
+
+ $ ./repro.lua
+ Segmentation fault (core dumped)
+
+ (gdb) bt -25
+ #523984 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523985 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523986 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523987 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523988 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523989 0x00007ffff7a3743c in hascaptures () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523990 0x00007ffff7a3815c in ?? () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523991 0x00007ffff7a388e3 in compile () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523992 0x00007ffff7a36fab in ?? () from
/usr/lib/x86_64-linux-gnu/lua/5.2/lpeg.so
+ #523993 0x000055555555fd1e in ?? ()
+ #523994 0x000055555556a5fc in ?? ()
+ #523995 0x00005555555600c8 in ?? ()
+ #523996 0x000055555555f63f in ?? ()
+ #523997 0x000055555556030f in ?? ()
+ #523998 0x000055555555dc91 in lua_pcallk ()
+ #523999 0x000055555555b896 in ?? ()
+ #524000 0x000055555555c54b in ?? ()
+ #524001 0x000055555555fd1e in ?? ()
+ #524002 0x0000555555560092 in ?? ()
+ #524003 0x000055555555f63f in ?? ()
+ #524004 0x000055555556030f in ?? ()
+ #524005 0x000055555555dc91 in lua_pcallk ()
+ #524006 0x000055555555b64b in ?? ()
+ #524007 0x00007ffff7c94bbb in __libc_start_main (main=0x55555555b5f0, argc=2,
argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8)
+ at ../csu/libc-start.c:308
+ #524008 0x000055555555b70a in ?? ()
+
+ The expected behavior is to have the program finish normally
+
+ [Regression potential]
+
+ Low, this is a backport from upstream and only limits the infinite recursion
in a scenario where it shouldn't happen to begin with (TCapture node search).
+ [Other info]
+
+ This was fixed upstream in 1.0.1 by stopping the recursion in TCall
+ nodes and controlling that TRule nodes do not follow siblings (sib2)
+
+ The upstream discussion can be found here:
+ http://lua.2524044.n2.nabble.com/LPeg-intermittent-stack-exhaustion-
+ td7674831.html
+
+ My analysis can be found here:
+ http://pastebin.ubuntu.com/p/n4824ftZt9/plain/
+
+ [Original description]
+
The Ubuntu Error Tracker has been receiving reports about a problem
regarding nmap. This problem was most recently seen with version
7.01-2ubuntu2, the problem page at
https://errors.ubuntu.com/problem/5e852236a443bab0279d47c8a9b7e55802bfb46f
contains more details.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1580385
Title:
/usr/bin/nmap:11:hascaptures:hascaptures:hascaptures:hascaptures:hascaptures
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua-lpeg/+bug/1580385/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
