Re: heap buffer overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap buffer overflow in luaH_realasize()
From: Roberto Ierusalimschy <roberto@...>
Date: Tue, 23 May 2023 15:15:59 -0300

> Specifically, what's happening is that the debug.setlocal call is
> overwriting the temporary value holding the table that is being
> constructed to contain its return value. Honestly it seems unreasonable
> for the interpreter to even try and defend against things like this; the
> temporary should not be visible to any code other than the debug
> library, so there is no reason for its value to change unexpectedly.

Right. Note that this is explicitly mentioned in the warning about the
debug library in the manual (already sent to this thread):

        Several of its functions violate basic assumptions about Lua
        code (e.g., THAT VARIABLES LOCAL TO A FUNCTION CANNOT BE
        ACCESSED FROM OUTSIDE; that userdata metatables cannot be
        changed by Lua code; that Lua programs do not crash)

(emphasis added)

-- Roberto

Follow-Ups:
- Debug, was: heap buffer overflow in luaH_realasize(), Paul Ducklin

References:
- heap buffer overflow in luaH_realasize(), Xian Zeng
- Re: heap buffer overflow in luaH_realasize(), 云风 Cloud Wu
- Re: heap buffer overflow in luaH_realasize(), Andrew Gierth

Prev by Date: Bug report: Header dependency issue in 5.4.6
Next by Date: Debug, was: heap buffer overflow in luaH_realasize()
Previous by thread: Re: heap buffer overflow in luaH_realasize()
Next by thread: Debug, was: heap buffer overflow in luaH_realasize()
Index(es):
- Date
- Thread