lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Hi,
I wrote a sanitization procedure that checks the depth of the returned lua _expression_. The snippet below assumes that there is a lua table on the top of the stack.


vector<pair<unsigned, unsigned>> lens;
unsigned len = lua_rawlen(lua_, -1);
unsigned i = 0;

// implement dfs traversal
while (true) {
while (i < len) {
DVLOG(1) << "Stack " << lua_gettop(lua_) << "/" << i << "/" << len;
int t = lua_rawgeti(lua_, -1, i + 1); // push table element
if (t == LUA_TTABLE) {
if (lens.size() >= 127) // reached depth 127
return false;

lens.emplace_back(i + 1, len); // save the parent state.

// reset to iterate on the next table.
i = 0;
len = lua_rawlen(lua_, -1);
} else {
lua_pop(lua_, 1); // pop table element
++i;
}
}

if (lens.empty()) // exit criteria
break;

// unwind to the state before we went down the stack.
tie(i, len) = lens.back();
lens.pop_back();

lua_pop(lua_, 1);
};

return true;

When I run it on the lua script below and the close lua state it crashes inside lua_close (see the stack below).
For lengths less than 54 it does not crash. 

local x = {}
for i=1,54 do
x = {x}
end
return x


==2152799==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x617000000400 in thread T0
#0 0x7fd7b3050517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55f80505df99 in l_alloc build-dbg/third_party/lua/lauxlib.c:1014
#2 0x55f805045161 in luaM_free_ build-dbg/third_party/lua/lmem.c:135
#3 0x55f80504dfa1 in freehash build-dbg/third_party/lua/ltable.c:371
#4 0x55f80504e8b0 in luaH_free build-dbg/third_party/lua/ltable.c:637
#5 0x55f805042ff4 in freeobj build-dbg/third_party/lua/lgc.c:783
#6 0x55f80504478e in deletelist build-dbg/third_party/lua/lgc.c:1494
#7 0x55f80504481b in luaC_freeallobjects build-dbg/third_party/lua/lgc.c:1511
#8 0x55f80504c23d in close_state build-dbg/third_party/lua/lstate.c:276
#9 0x55f80504c95a in lua_close build-dbg/third_party/lua/lstate.c:414



It's my first week with lua, so most likely it is a bug in my code but so far I could not find anything suspicious :(
My procedure finishes successfully and unwinds the stack to its original position. Any thoughts ?


--
Best regards,
     Roman