Re: Heap overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Heap overflow in luaH_get
From: 云风 Cloud Wu <cloudwu@...>
Date: Fri, 10 Jul 2020 12:52:46 +0800

Roberto Ierusalimschy <roberto@inf.puc-rio.br> 于2020年7月9日周四 下午10:02写道：
>
> Exactly! I guess the correction is moving its age back to OLD0, but
> I have to check that. Similar problems should occurr with other ages.

I make a simpler test case to reveal this bug. It always crashs when I
define a especial allocater for lua .
It may be helpful.

setmetatable ({}, { __gc = function(a) -- 1st finalizer
   setmetatable(a, { __gc = function (b) -- 2nd finalizer
     print(getmetatable(b))
     print(getmetatable(b).x) -- should be 42
     collectgarbage "step"
     collectgarbage "step"
     print(getmetatable(b))
     print(getmetatable(b).x) -- may crash !! use 2nd metatable after free
   end,
   x = 42,
   })
   a = nil
   collectgarbage "step" -- trigger 2nd finalizer
end })

collectgarbage "step" -- trigger 1st finalizer

-- 
http://blog.codingnow.com

Follow-Ups:
- Re: Heap overflow in luaH_get, Dibyendu Majumdar

References:
- Heap overflow in luaH_get, Yongheng Chen
- Re: Heap overflow in luaH_get, Andrew Gierth
- Re: Heap overflow in luaH_get, Roberto Ierusalimschy

Prev by Date: Re: New param in lua_resume in Lua 5.4
Next by Date: Re: Heap overflow in luaH_get
Previous by thread: Re: Heap overflow in luaH_get
Next by thread: Re: Heap overflow in luaH_get
Index(es):
- Date
- Thread