BUG: 'luaV_settable' may invalidate a reference to a table and try

to reuse it.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2009-07-01 18:10:33 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2009-07-01 18:10:33 -0300
commit: d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18 (patch)
tree: b209ba420259badad879f706686c493a83ae7b61
parent: afb3f7e754bde70895d639ff2a2738409a51c60e (diff)
download: lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.tar.gz
lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.tar.bz2
lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.zip
1 files changed, 46 insertions, 5 deletions
diff --git a/bugs b/bugs
index a85e40cb..3b45c0c2 100644
--- a/bugs
+++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
 +++ lundump.c   2008/04/04 19:51:41     2.7.1.4
 @@ -1,5 +1,5 @@
 /*
-** $Id: bugs,v 1.99 2009/04/27 20:11:11 roberto Exp roberto $
+-** $Id: bugs,v 1.100 2009/06/15 14:12:59 roberto Exp roberto $
-+** $Id: bugs,v 1.99 2009/04/27 20:11:11 roberto Exp roberto $
+** $Id: bugs,v 1.100 2009/06/15 14:12:59 roberto Exp roberto $
 ** load precompiled Lua chunks
 ** See Copyright Notice in lua.h
 */
@@ -2060,7 +2060,7 @@ patch = [[
 Bug{
 what = [[internal macro 'svalue' is wrong]],
-report = [["Martijn van Buul, on 2008/08/04]],
+report = [[Martijn van Buul, on 2008/08/04]],
 since = [[5.1]],
 example = [[
 /* in luaconf.h */
@@ -2083,7 +2083,7 @@ patch = [[
 Bug{
 what = [[malicious zero-length string in binary code may segfault Lua]],
-report = [["Peter Cawley, on 2008/09/01]],
+report = [[Peter Cawley, on 2008/09/01]],
 since = [[5.1]],
 example = [[
 loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()
@@ -2095,7 +2095,7 @@ patch = [[
 Bug{
 what = [[wrong code generation for some particular boolean expressions]],
-report = [["Brian Kelley, on 2009/04/15]],
+report = [[Brian Kelley, on 2009/04/15]],
 since = [[5.0]],
 example = [[
 print(((1 or false) and true) or false)   --> 1
@@ -2152,3 +2152,44 @@ patch = [[
 ]],
 }
+Bug{
+what = [['luaV_settable' may invalidate a reference to a table and try
+to reuse it]],
+report = [[Mark Feldman, on 2009/06/27]],
+since = [[5.0]],
+example = [[
+grandparent = {}
+grandparent.__newindex = function(s,_,_) print(s) end
+parent = {}
+parent.__newindex = parent
+setmetatable(parent, grandparent)
+child = setmetatable({}, parent)
+child.foo = 10      --> (crash on some machines)
+]],
+patch = [[
+--- lvm.c       2007/12/28 15:32:23     2.63.1.3
+++ lvm.c       2009/07/01 20:36:59
+@@ -133,6 +133,7 @@
+ 
+ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+   int loop;
+  TValue temp;
+   for (loop = 0; loop < MAXTAGLOOP; loop++) {
+     const TValue *tm;
+     if (ttistable(t)) {  /* `t' is a table? */
+@@ -152,7 +153,9 @@
+       callTM(L, tm, t, key, val);
+       return;
+     }
+-    t = tm;  /* else repeat with `tm' */ 
+    /* else repeat with `tm' */
+    setobj(L, &temp, tm);  /* avoid pointing inside table (may rehash) */
+    t = &temp;
+   }
+   luaG_runerror(L, "loop in settable");
+ }
+]],
+}
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2009-07-01 18:10:33 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2009-07-01 18:10:33 -0300
commit	d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18 (patch)
tree	b209ba420259badad879f706686c493a83ae7b61
parent	afb3f7e754bde70895d639ff2a2738409a51c60e (diff)
download	lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.tar.gz lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.tar.bz2 lua-d57c9cdefc6f00d8bf8bb24b96e65631a1c3ef18.zip

diff --git a/bugs b/bugs index a85e40cb..3b45c0c2 100644 --- a/bugs +++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4	1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4
1881	@@ -1,5 +1,5 @@	1881	@@ -1,5 +1,5 @@
1882	/*	1882	/*
1883	-** $Id: bugs,v 1.99 2009/04/27 20:11:11 roberto Exp roberto $	1883	-** $Id: bugs,v 1.100 2009/06/15 14:12:59 roberto Exp roberto $
1884	+** $Id: bugs,v 1.99 2009/04/27 20:11:11 roberto Exp roberto $	1884	+** $Id: bugs,v 1.100 2009/06/15 14:12:59 roberto Exp roberto $
1885	** load precompiled Lua chunks	1885	** load precompiled Lua chunks
1886	** See Copyright Notice in lua.h	1886	** See Copyright Notice in lua.h
1887	*/	1887	*/
@@ -2060,7 +2060,7 @@ patch = [[
2060		2060
2061	Bug{	2061	Bug{
2062	what = [[internal macro 'svalue' is wrong]],	2062	what = [[internal macro 'svalue' is wrong]],
2063	report = [["Martijn van Buul, on 2008/08/04]],	2063	report = [[Martijn van Buul, on 2008/08/04]],
2064	since = [[5.1]],	2064	since = [[5.1]],
2065	example = [[	2065	example = [[
2066	/* in luaconf.h */	2066	/* in luaconf.h */
@@ -2083,7 +2083,7 @@ patch = [[
2083		2083
2084	Bug{	2084	Bug{
2085	what = [[malicious zero-length string in binary code may segfault Lua]],	2085	what = [[malicious zero-length string in binary code may segfault Lua]],
2086	report = [["Peter Cawley, on 2008/09/01]],	2086	report = [[Peter Cawley, on 2008/09/01]],
2087	since = [[5.1]],	2087	since = [[5.1]],
2088	example = [[	2088	example = [[
2089	loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()	2089	loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()
@@ -2095,7 +2095,7 @@ patch = [[
2095		2095
2096	Bug{	2096	Bug{
2097	what = [[wrong code generation for some particular boolean expressions]],	2097	what = [[wrong code generation for some particular boolean expressions]],
2098	report = [["Brian Kelley, on 2009/04/15]],	2098	report = [[Brian Kelley, on 2009/04/15]],
2099	since = [[5.0]],	2099	since = [[5.0]],
2100	example = [[	2100	example = [[
2101	print(((1 or false) and true) or false) --> 1	2101	print(((1 or false) and true) or false) --> 1
@@ -2152,3 +2152,44 @@ patch = [[
2152	]],	2152	]],
2153	}	2153	}
2154		2154
		2155	Bug{
		2156	what = [['luaV_settable' may invalidate a reference to a table and try
		2157	to reuse it]],
		2158	report = [[Mark Feldman, on 2009/06/27]],
		2159	since = [[5.0]],
		2160	example = [[
		2161	grandparent = {}
		2162	grandparent.__newindex = function(s,_,_) print(s) end
		2163
		2164	parent = {}
		2165	parent.__newindex = parent
		2166	setmetatable(parent, grandparent)
		2167
		2168	child = setmetatable({}, parent)
		2169	child.foo = 10 --> (crash on some machines)
		2170	]],
		2171	patch = [[
		2172	--- lvm.c 2007/12/28 15:32:23 2.63.1.3
		2173	+++ lvm.c 2009/07/01 20:36:59
		2174	@@ -133,6 +133,7 @@
		2175
		2176	void luaV_settable (lua_State L, const TValue t, TValue *key, StkId val) {
		2177	int loop;
		2178	+ TValue temp;
		2179	for (loop = 0; loop < MAXTAGLOOP; loop++) {
		2180	const TValue *tm;
		2181	if (ttistable(t)) { /* `t' is a table? */
		2182	@@ -152,7 +153,9 @@
		2183	callTM(L, tm, t, key, val);
		2184	return;
		2185	}
		2186	- t = tm; /* else repeat with `tm' */
		2187	+ /* else repeat with `tm' */
		2188	+ setobj(L, &temp, tm); /* avoid pointing inside table (may rehash) */
		2189	+ t = &temp;
		2190	}
		2191	luaG_runerror(L, "loop in settable");
		2192	}
		2193	]],
		2194	}
		2195