[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Specially crafted binary chunks can cause Lua to crash
- From: "Peter Cawley" <lua@...>
- Date: Wed, 26 Mar 2008 18:45:07 +0000
If it's bug fixed into 5.1.4, then I don't see why 5.2 would need a
new pseudo-opcode as the loophole is already closed.
On another note, the following exploits a bug in ldebug.c's precheck function:
The line in question is:
lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
If numparams is 255, and is_vararg has the HARARG flag set, then the
addition will overflow, and the function can have alot more parameters
than stack slots, leading to a segfault when the function is called.
On 26/03/2008, Roberto Ierusalimschy <email@example.com> wrote:
> > The bug is in ldebug.c's symbexec function again, but exploits the
> > fact that LOADBOOL with C != 0 isn't checked to see if it jumps over
> > an extended SETLIST, rather than yesterday's extended SETLIST as the
> > penultimate instruction.
> Maybe the correct way to fix these bugs would be to change that free
> slot after SETLIST into a new pseudo-instruction, with 26 free bits
> to keep the desired value. So, any jump to this slot would try to
> execute this instruction, and the VM could easily caught it with no
> overhead. Unfortunately, such change is incompatible with current
> binaries, and so it is not an option for a bug-fix release. But it is
> an option for 5.2.
> -- Roberto