[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Specially crafted binary chunks can cause Lua to crash
- From: Roberto Ierusalimschy <roberto@...>
- Date: Wed, 26 Mar 2008 12:30:24 -0300
> The bug is in ldebug.c's symbexec function again, but exploits the
> fact that LOADBOOL with C != 0 isn't checked to see if it jumps over
> an extended SETLIST, rather than yesterday's extended SETLIST as the
> penultimate instruction.
Maybe the correct way to fix these bugs would be to change that free
slot after SETLIST into a new pseudo-instruction, with 26 free bits
to keep the desired value. So, any jump to this slot would try to
execute this instruction, and the VM could easily caught it with no
overhead. Unfortunately, such change is incompatible with current
binaries, and so it is not an option for a bug-fix release. But it is
an option for 5.2.