Small variation of #5.1.3-5 crashes Lua 5.3.0

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Small variation of #5.1.3-5 crashes Lua 5.3.0
From: Alexander Nasonov <alnsn@...>
Date: Fri, 27 Feb 2015 00:36:25 +0000

This code (which is a slight variation of
http://www.lua.org/bugs.html#5.1.3-5):

$ cat afl-out/crashes/id*0001,*                                                                    
a = string.dump(function()return;end)
a = a:gsub(string.char(38,37,122,128), string.char(34,0,0), 1)
load(a)()

crashes Lua 5.3.0.

$ gdb lua5.3                                                                                       
Reading symbols from lua5.3...(no debugging symbols found)...done.
(gdb) run afl-out/crashes/id*0001,*
Starting program: /usr/pkg/bin/lua5.3 afl-out/crashes/id*0001,*

Program received signal SIGSEGV, Segmentation fault.
0x00007f7ff78185bd in luaV_execute () from /usr/pkg/lib/liblua5.3.so.5
(gdb) bt
#0  0x00007f7ff78185bd in luaV_execute () from /usr/pkg/lib/liblua5.3.so.5
#1  0x00007f7ff780cb9b in luaD_call () from /usr/pkg/lib/liblua5.3.so.5
#2  0x00007f7ff780c25c in luaD_rawrunprotected () from /usr/pkg/lib/liblua5.3.so.5
#3  0x00007f7ff780cdee in luaD_pcall () from /usr/pkg/lib/liblua5.3.so.5
#4  0x00007f7ff78091c7 in lua_pcallk () from /usr/pkg/lib/liblua5.3.so.5
#5  0x0000000000401af7 in _start ()
(gdb) 

Found (in few seconds) by afl http://lcamtuf.coredump.cx/afl/

PS It's easy to crash Lua with a malformed binary chunk. I wonder
if it's supposed to be robust.

Alex

Follow-Ups:
- Re: Small variation of #5.1.3-5 crashes Lua 5.3.0, Luiz Henrique de Figueiredo
- Re: Small variation of #5.1.3-5 crashes Lua 5.3.0, Roberto Ierusalimschy

Prev by Date: Re: Choosing an easy web development tool kit
Next by Date: Re: Small variation of #5.1.3-5 crashes Lua 5.3.0
Previous by thread: Re: Choosing an easy web development tool kit
Next by thread: Re: Small variation of #5.1.3-5 crashes Lua 5.3.0
Index(es):
- Date
- Thread