[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: RE: Bug: Segfault calling tostring on a result from debug.getlocal
- From: Dan Tull <dtull@...>
- Date: Fri, 20 Apr 2012 13:00:41 -0700
I was also thinking of adding a lua_assert to the switch block in
lua_getmetatable so that if any other such bugs occur, the attempt
to index outside the mt array fails noisily (in debug builds, anyway).
Thanks -- DT
________________________________________
From: lua-l-bounces@lists.lua.org [lua-l-bounces@lists.lua.org] On Behalf Of Peter Cawley [lua@corsix.org]
Sent: Friday, April 20, 2012 2:52 PM
To: Lua mailing list
Subject: Re: Bug: Segfault calling tostring on a result from debug.getlocal
On Fri, Apr 20, 2012 at 8:40 PM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
> Many thanks for the report. A quick fix would be to filter out that
> values in lua_getlocal; maybe a better (but more extensive) fix would be
> to avoid putting prototypes in the stack in the first place.
For what it's worth, I'd lead toward the extensive fix; due to
load()'s callback, malicious bytecode can grab the prototype whilst
avoiding lua_getlocal's hypothetical filter. Albeit you may have
bigger problems if malicious bytecode is flying around, but it would
mean one less path to exploitation.