lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> On another note, the following exploits a bug in ldebug.c's precheck function:
> loadstring(string.dump(function(a,b,c)end):gsub("%z\3%z\3","\0\255\1\3",1))()
> The line in question is:
> lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
> If numparams is 255, and is_vararg has the HARARG flag set, then the
> addition will overflow, and the function can have alot more parameters
> than stack slots, leading to a segfault when the function is called.

Why would 255+1 overflow? What seems odd is the 'lua_assert' there. If
it is checking the code, it should use 'check'...

-- Roberto