Re: Null dereference in findvararg via checkclosemth

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Null dereference in findvararg via checkclosemth
From: Roberto Ierusalimschy <roberto@...>
Date: Thu, 29 Jun 2023 11:37:54 -0300

> [...]
> 
> I don't know the internal data structures enough to say anything
> authoritative, but it strikes me as possible, at least, that the
> assignment to *pos cannot be reached in this case because one of the
> four ifs - two each in luaG_findlocal and findvararg - will always fail
> when called this way from checkclosemth.

Indeed. In the call to luaG_findlocal in checkclosemth, 'idx' cannot
be negative. Then, 'n' in luaG_findlocal cannot be negative, and
therefore it will not call findvararg.

The proof that 'idx' cannot be negative in checkclosemth comes from
the fact that 'level' in luaF_newtbcupval is always larger than
L->ci->func.p. That basically represents the fact that we cannot
close a vararg argument.

There are three calls to luaF_newtbcupval: two are in lvm.c, where idx
comes from 'ra', which must be equal to or larger than base, which is
func.p+1. The other call is in lua_toclose, where the computations and
asserts in 'index2stack' show that its result cannot be smaller than
func.p.

-- Roberto

References:
- Null dereference in findvararg via checkclosemth, r.yudichev
- Re: Null dereference in findvararg via checkclosemth, Mouse

Prev by Date: Re: Null dereference in findvararg via checkclosemth
Next by Date: Re: Bad-cert-domain on https://lua-users.org/lists/lua-l/
Previous by thread: Re: Null dereference in findvararg via checkclosemth
Next by thread: Ask userdata type from Lua
Index(es):
- Date
- Thread