[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: CVE-2019-6706: use-after-free in lua_upvaluejoin function
- From: Matěj Cepl <mcepl@...>
- Date: Fri, 25 Jan 2019 12:23:31 +0100
Hi,
do you think this could be a good reformulation of this thread?
Any further comments?
Best,
Matěj
--
https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz
GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8
If the Good Lord had wanted us to enjoy ourselves, he wouldn’t
have granted us His precious gift of relentless misery.
-- Jean Calvin in "Calvin and the Chipmunks" comic strip
https://mcepl.fedorapeople.org/tmp/calvin_and_the_chipmunks.jpg
--- a/src/lapi.c
+++ b/src/lapi.c
@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
- LClosure *f1;
- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+ if (*up1 == *up2) return; /* Already joined */
+ (*up2)->refcount++;
+ if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+ luaC_upvalbarrier(L, *up2);
luaC_upvdeccount(L, *up1);
*up1 = *up2;
- (*up1)->refcount++;
- if (upisopen(*up1)) (*up1)->u.open.touched = 1;
- luaC_upvalbarrier(L, *up1);
}
Attachment:
signature.asc
Description: Digital signature
