[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Specially crafted binary chunks can cause Lua to crash
- From: Roberto Ierusalimschy <roberto@...>
- Date: Wed, 26 Mar 2008 17:04:17 -0300
> On another note, the following exploits a bug in ldebug.c's precheck function:
> The line in question is:
> lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
> If numparams is 255, and is_vararg has the HARARG flag set, then the
> addition will overflow, and the function can have alot more parameters
> than stack slots, leading to a segfault when the function is called.
Why would 255+1 overflow? What seems odd is the 'lua_assert' there. If
it is checking the code, it should use 'check'...