Re: heap buffer overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap buffer overflow in luaH_realasize()
From: Andrew Gierth <andrew@...>
Date: Tue, 23 May 2023 12:04:47 +0100

>>>>> "云风" == 云风 Cloud Wu <cloudwu@gmail.com> writes:

 云风> I found 11_005410496.lua uses a debug function "debug.setlocal()" ,
 云风> and the debug api may crashs the program :

Specifically, what's happening is that the debug.setlocal call is
overwriting the temporary value holding the table that is being
constructed to contain its return value. Honestly it seems unreasonable
for the interpreter to even try and defend against things like this; the
temporary should not be visible to any code other than the debug
library, so there is no reason for its value to change unexpectedly.
(This could perhaps be checked in the OP_SETLIST opcode, at the expense
of adding some small overhead to every {...} construct.)

For me, this simpler code crashes the same way:

  return {debug.setlocal(1,1,nil)}

which makes the issue a bit more obvious.

-- 
Andrew.

Follow-Ups:
- Re: heap buffer overflow in luaH_realasize(), Roberto Ierusalimschy

References:
- heap buffer overflow in luaH_realasize(), Xian Zeng
- Re: heap buffer overflow in luaH_realasize(), 云风 Cloud Wu

Prev by Date: Re: heap buffer overflow in luaH_realasize()
Next by Date: Bug report: Header dependency issue in 5.4.6
Previous by thread: Re: heap buffer overflow in luaH_realasize()
Next by thread: Re: heap buffer overflow in luaH_realasize()
Index(es):
- Date
- Thread