[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Specially crafted binary chunks can cause Lua to crash
- From: "Peter Cawley" <lua@...>
- Date: Tue, 25 Mar 2008 15:49:42 +0000
Slight variation on yesterday's bug:
loadstring(string.dump(function(...)a,b,c,d=...;a=1;end):gsub("e%z\128\2.....",'\2@\128\0"\0\128\0$'))()
Creates a function that starts with an easy to find opcode (4 locals
from vararg becomes "e\0\128\2") and enough instructions after it to
overwrite (a=1 is a LOADK plus SETGLOBAL, combined with the VARARG is
3 instructions). Then replaces the three instructions with:
LOADBOOL (with C = 1, to cause VM to skip the SETLIST)
SETLIST (with C = 0, to cause code checker to skip next instruction)
CLOSURE (The aftermath of closing a non-existent prototype causes the segfault)
The bug is in ldebug.c's symbexec function again, but exploits the
fact that LOADBOOL with C != 0 isn't checked to see if it jumps over
an extended SETLIST, rather than yesterday's extended SETLIST as the
penultimate instruction.
On 24/03/2008, Luiz Henrique de Figueiredo <lhf@tecgraf.puc-rio.br> wrote:
> Thanks for the report.
>
