lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

If it's bug fixed into 5.1.4, then I don't see why 5.2 would need a
new pseudo-opcode as the loophole is already closed.

On another note, the following exploits a bug in ldebug.c's precheck function:

loadstring(string.dump(function(a,b,c)end):gsub("%z\3%z\3","\0\255\1\3",1))()

The line in question is:

lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);

If numparams is 255, and is_vararg has the HARARG flag set, then the
addition will overflow, and the function can have alot more parameters
than stack slots, leading to a segfault when the function is called.

On 26/03/2008, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
> > The bug is in ldebug.c's symbexec function again, but exploits the
>  > fact that LOADBOOL with C != 0 isn't checked to see if it jumps over
>  > an extended SETLIST, rather than yesterday's extended SETLIST as the
>  > penultimate instruction.
>
>
> Maybe the correct way to fix these bugs would be to change that free
>  slot after SETLIST into a new pseudo-instruction, with 26 free bits
>  to keep the desired value. So, any jump to this slot would try to
>  execute this instruction, and the VM could easily caught it with no
>  overhead. Unfortunately, such change is incompatible with current
>  binaries, and so it is not an option for a bug-fix release. But it is
>  an option for 5.2.
>
>
>  -- Roberto
>