lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Slight variation on yesterday's bug:


Creates a function that starts with an easy to find opcode (4 locals
from vararg becomes "e\0\128\2") and enough instructions after it to
overwrite (a=1 is a LOADK plus SETGLOBAL, combined with the VARARG is
3 instructions). Then replaces the three instructions with:
LOADBOOL (with C = 1, to cause VM to skip the SETLIST)
SETLIST (with C = 0, to cause code checker to skip next instruction)
CLOSURE (The aftermath of closing a non-existent prototype causes the segfault)

The bug is in ldebug.c's symbexec function again, but exploits the
fact that LOADBOOL with C != 0 isn't checked to see if it jumps over
an extended SETLIST, rather than yesterday's extended SETLIST as the
penultimate instruction.

On 24/03/2008, Luiz Henrique de Figueiredo <> wrote:
> Thanks for the report.