Potential security risks: buffer access out of bound

[yiyuaner]

In lib/lpeg.c, function verify:

static int verify (lua_State *L, Instruction *op, const Instruction *p,
               Instruction *e, int postable, int rule) {
    static const char dummy[] = "";
    Stack back[MAXBACK];
    int backtop = 0;  /* point to first empty slot in back */
    while (p != e) {
        switch ((Opcode)p->i.code) {
        case IRet: {
            p = back[--backtop].p;
           continue;
        }
        ......
        case IFunc: {
            const char *r = (p+1)->f((p+2)->buff, dummy, dummy, dummy);
            if (r == NULL) goto fail;
            p += p->i.offset;
            continue;
         }
     }
  }
  ......

If (Opcode)p->i.code == IRet then array back will be accessed on index -1.

If we first enter case IFunc and then case IRet, array back will be uninitialized, and thus p will contain garbage value.