[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: heap-buffer-overflow found in luaG_errormsg
- From: Roberto Ierusalimschy <roberto@...>
- Date: Fri, 13 May 2022 15:41:17 -0300
> > I found a heap buffer overflow which can cause a heap double free error.
The problem seems to be the use of the EXTRA_STACK at luaG_errormsg.
luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which
checks the stack and grows it if needed. However, there can be an error
before that, in luaE_checkcstack. If luaE_checkcstack raises an error
(C stack overflow), then luaG_errormsg will be called again without any
stack check in-between, and then it will again assume EXTRA_STACK and
that may cause a buffer overflow.