lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Roberto Ierusalimschy wrote:

> >  > I found a heap buffer overflow which can cause a heap double

> > free error.

> >  [...]

> The problem seems to be the use of the EXTRA_STACK at luaG_errormsg.

> luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which

> checks the stack and grows it if needed. However, there can be an error

> before that, in luaE_checkcstack. If luaE_checkcstack raises an error

> (C stack overflow), then luaG_errormsg will be called again without any

> stack check in-between, and then it will again assume EXTRA_STACK and

> that may cause a buffer overflow.


> -- Roberto


My debugging results (previous mail) are basically the same as your idea.