lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

A C function may receive on its stack more arguments than
LUAI_MAXCSTACK (defined in luaconf.h). So, if a C function is passed
10 000 arguments and attempts to use a negative index on a valid slot,
say -10 000, it would access the Registry instead.

Attached is code demonstrating this.

I see two possible solutions:
  o The pseudo-indices are accessed relative to the stack top. That
is, LUA_REGISTRYINDEX becomes a macro like (-(lua_gettop(L)+50)). The
bonus to this approach is the limit on the size of C stacks is removed
but LUA_REGISTRYINDEX and similar can only be used in the arguments to
an API function (because the macros rely on the current size of the
stack). This may be too inflexible to be viable.
  o The size of the arguments to the C function's stack is limited to

Kind Regards,

-Patrick Donnelly

"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."

-Will Durant
#include <lua.h>
#include <lauxlib.h>

static int ctest (lua_State *L)
  int top = lua_gettop(L);
  if (top >= 1e4)
    lua_pushvalue(L, -top);
    return 1;
    luaL_error(L, "stack not large enough");

int luaopen_ctest (lua_State *L)
  lua_register(L, "ctest", ctest);
  return 0;
require "ctest"

local function lunpack(t, i, ...)
  if i == 0 then
    return ...
    return lunpack(t, i-1, t[i], ...)

for i =1,1e4 do t[i] = i end

print(ctest(lunpack(t,#t)), debug.getregistry())