Roberto Ierusalimschy wrote:
> > > I found a heap buffer overflow which can cause a heap double
> > free error.
> > [...]
> The problem seems to be the use of the EXTRA_STACK at luaG_errormsg.
> luaG_errormsg calls luaD_callnoyield, which calls luaD_precall, which
> checks the stack and grows it if needed. However, there can be an error
> before that, in luaE_checkcstack. If luaE_checkcstack raises an error
> (C stack overflow), then luaG_errormsg will be called again without any
> stack check in-between, and then it will again assume EXTRA_STACK and
> that may cause a buffer overflow.
> -- Roberto
My debugging results (previous mail) are basically the same as your idea.