BUG: lua_setfenv may crash if called over an invalid object

author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2007-11-28 16:27:38 -0200
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2007-11-28 16:27:38 -0200
commit: abcc124df05fe19470abdb9d665160a7e3b01495 (patch)
tree: a1ee289114ba8105800d24c1b08a3725b8778690
parent: b4164a9aa7760be7d66f90d6af5093b9ff26fb0c (diff)
download: lua-abcc124df05fe19470abdb9d665160a7e3b01495.tar.gz
lua-abcc124df05fe19470abdb9d665160a7e3b01495.tar.bz2
lua-abcc124df05fe19470abdb9d665160a7e3b01495.zip
2 files changed, 23 insertions, 2 deletions
diff --git a/bugs b/bugs
index ed2eb666..fe6b2b81 100644
--- a/bugs
+++ b/bugs
@@ -1595,6 +1595,27 @@ ltablib.c:
 }
 Bug{
+what = [[lua_setfenv may crash if called over an invalid object]],
+report = [[Mike Pall, on 11/2007]],
+since = [[5.1]],
+example = [[
+> debug.setfenv(3, {})
+]],
+patch = [[
+lapi.c:
+@@ -749,7 +749,7 @@
+       res = 0;
+       break;
+   }
+-  luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
+  if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
+   L->top--;
+   lua_unlock(L);
+   return res;
+]],
+}
+Bug{
 what = [[ ]],
 report = [[ , on ]],
 since = [[i ]],
diff --git a/lapi.c b/lapi.c
index 50b738ce..bb9927d9 100644
--- a/lapi.c
+++ b/lapi.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lapi.c,v 2.60 2007/04/17 13:19:53 roberto Exp roberto $
+** $Id: lapi.c,v 2.61 2007/08/07 16:53:40 roberto Exp roberto $
 ** Lua API
 ** See Copyright Notice in lua.h
 */
@@ -733,7 +733,7 @@ LUA_API int lua_setfenv (lua_State *L, int idx) {
      res = 0;
      break;
  }
-  luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
+  if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
  L->top--;
  lua_unlock(L);
  return res;
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2007-11-28 16:27:38 -0200
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2007-11-28 16:27:38 -0200
commit	abcc124df05fe19470abdb9d665160a7e3b01495 (patch)
tree	a1ee289114ba8105800d24c1b08a3725b8778690
parent	b4164a9aa7760be7d66f90d6af5093b9ff26fb0c (diff)
download	lua-abcc124df05fe19470abdb9d665160a7e3b01495.tar.gz lua-abcc124df05fe19470abdb9d665160a7e3b01495.tar.bz2 lua-abcc124df05fe19470abdb9d665160a7e3b01495.zip

diff --git a/bugs b/bugs index ed2eb666..fe6b2b81 100644 --- a/bugs +++ b/bugs
@@ -1595,6 +1595,27 @@ ltablib.c:
1595	}	1595	}
1596		1596
1597	Bug{	1597	Bug{
		1598	what = [[lua_setfenv may crash if called over an invalid object]],
		1599	report = [[Mike Pall, on 11/2007]],
		1600	since = [[5.1]],
		1601	example = [[
		1602	> debug.setfenv(3, {})
		1603	]],
		1604	patch = [[
		1605	lapi.c:
		1606	@@ -749,7 +749,7 @@
		1607	res = 0;
		1608	break;
		1609	}
		1610	- luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
		1611	+ if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
		1612	L->top--;
		1613	lua_unlock(L);
		1614	return res;
		1615	]],
		1616	}
		1617
		1618	Bug{
1598	what = [[ ]],	1619	what = [[ ]],
1599	report = [[ , on ]],	1620	report = [[ , on ]],
1600	since = [[i ]],	1621	since = [[i ]],


diff --git a/lapi.c b/lapi.c index 50b738ce..bb9927d9 100644 --- a/lapi.c +++ b/lapi.c
@@ -1,5 +1,5 @@
1	/*	1	/*
2	** $Id: lapi.c,v 2.60 2007/04/17 13:19:53 roberto Exp roberto $	2	** $Id: lapi.c,v 2.61 2007/08/07 16:53:40 roberto Exp roberto $
3	** Lua API	3	** Lua API
4	** See Copyright Notice in lua.h	4	** See Copyright Notice in lua.h
5	*/	5	*/
@@ -733,7 +733,7 @@ LUA_API int lua_setfenv (lua_State *L, int idx) {
733	res = 0;	733	res = 0;
734	break;	734	break;
735	}	735	}
736	luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));	736	if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
737	L->top--;	737	L->top--;
738	lua_unlock(L);	738	lua_unlock(L);
739	return res;	739	return res;