 |
lua-l archive |
|
|
||
|
Roberto Ierusalimschy wrote: > > > I found a heap buffer overflow which can cause a heap double > > free error. > > [...] > The problem seems to be the use of the EXTRA_STACK at luaG_errormsg. > luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which > checks the stack and grows it if needed. However, there can be an error > before that, in luaE_checkcstack. If luaE_checkcstack raises an error > (C stack overflow), then luaG_errormsg will be called again without any > stack check in-between, and then it will again assume EXTRA_STACK and > that may cause a buffer overflow. > > -- Roberto My debugging results (previous mail) are basically the same as your idea. |