lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I was also thinking of adding a lua_assert to the switch block in 
lua_getmetatable so that if any other such bugs occur, the attempt 
to index outside the mt array fails noisily (in debug builds, anyway).

Thanks -- DT

________________________________________
From: lua-l-bounces@lists.lua.org [lua-l-bounces@lists.lua.org] On Behalf Of Peter Cawley [lua@corsix.org]
Sent: Friday, April 20, 2012 2:52 PM
To: Lua mailing list
Subject: Re: Bug: Segfault calling tostring on a result from debug.getlocal

On Fri, Apr 20, 2012 at 8:40 PM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
> Many thanks for the report. A quick fix would be to filter out that
> values in lua_getlocal; maybe a better (but more extensive) fix would be
> to avoid putting prototypes in the stack in the first place.

For what it's worth, I'd lead toward the extensive fix; due to
load()'s callback, malicious bytecode can grab the prototype whilst
avoiding lua_getlocal's hypothetical filter. Albeit you may have
bigger problems if malicious bytecode is flying around, but it would
mean one less path to exploitation.