Re: heap buffer overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap buffer overflow in luaH_realasize()
From: 云风 Cloud Wu <cloudwu@...>
Date: Tue, 23 May 2023 17:27:27 +0800

Xian Zeng <3123132899zeng@gmail.com> 于2023年5月23日周二 15:27写道：
>
> I found a stack overflow in luaV_execute function.
> Lua version:
> Lua 5.4.6
>
> How to reproduce:
>
> curl -R -O http://www.lua.org/ftp/lua-5.4.6.tar.gz
> tar zxf lua-5.4.6.tar.gz
> cd lua-5.4.6
> make all test
>
> luafuzz@FuzzVM:~/Desktop/lua-5.4.6/src$ gdb ./lua -q
> Reading symbols from ./lua...
> (No debugging symbols found in ./lua)
> (gdb) r /home/luafuzz/Desktop/11_005410496.lua

I found 11_005410496.lua uses a debug function "debug.setlocal()" ,
and the debug api may crashs the program :

     Several of its functions violate basic assumptions about Lua code
(e.g., that variables local to a function cannot be accessed from
outside; that userdata metatables cannot be changed by Lua code; that
Lua programs do not crash)
     https://www.lua.org/manual/5.4/manual.html#6.10

Follow-Ups:
- Re: heap buffer overflow in luaH_realasize(), Andrew Gierth

References:
- heap buffer overflow in luaH_realasize(), Xian Zeng

Prev by Date: Re: heap buffer overflow in luaH_realasize()
Next by Date: Re: heap buffer overflow in luaH_realasize()
Previous by thread: Re: heap buffer overflow in luaH_realasize()
Next by thread: Re: heap buffer overflow in luaH_realasize()
Index(es):
- Date
- Thread