lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Mon, Dec 12, 2016 at 1:11 AM, Nagaev Boris <bnagaev@gmail.com> wrote:
> On 11 Dec 2016 4:00 pm, "Pierre-Yves Gérardy" <pygy79@gmail.com> wrote:
> On Mon, Dec 12, 2016 at 12:21 AM, Samuel Groß <mail@samuel-gross.com> wrote:
>> [6]: "We have always considered it unacceptable for a Lua program to be
>> able
>> to crash the host application. Lua should be a safe language.". This seems
>> to be clearly violated here.
>
> Beside what Daurnimator said in a parallel thread, the sentence you
> quoted applies to Lua source code, not bytecode.
>
> Lua program can load bytecode using load function.

And the potential crashes are acknowledged at the end of
http://www.lua.org/manual/5.3/manual.html#pdf-load :

"Lua does not check the consistency of binary chunks. Maliciously
crafted binary chunks can crash the interpreter."

Also, you can call `load` in "t" mode, it will reject bytecode (it
would be nice it it was the default behavior).

—Pierre-Yves