diff options
| author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-02-26 11:31:10 -0300 |
|---|---|---|
| committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-02-26 11:31:10 -0300 |
| commit | f9e35627ed26dff4114a1d01ff113d8b4cc91ab5 (patch) | |
| tree | ad817f574adcd2d57720c8a498626919b85e6e78 | |
| parent | ceac82f78be8baeddfa8536472d8b08df2eb7d49 (diff) | |
| download | lua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.tar.gz lua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.tar.bz2 lua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.zip | |
'lua_State.nci' must be an integer
Lua can easily overflow an unsigned short counting nested calls.
(The limit to this value is the maximum stack size, LUAI_MAXSTACK,
which is currently 1e6.)
| -rw-r--r-- | lstate.h | 2 | ||||
| -rw-r--r-- | ltests.h | 7 | ||||
| -rw-r--r-- | testes/coroutine.lua | 12 |
3 files changed, 18 insertions, 3 deletions
| @@ -290,7 +290,6 @@ struct lua_State { | |||
| 290 | CommonHeader; | 290 | CommonHeader; |
| 291 | lu_byte allowhook; | 291 | lu_byte allowhook; |
| 292 | TStatus status; | 292 | TStatus status; |
| 293 | unsigned short nci; /* number of items in 'ci' list */ | ||
| 294 | StkIdRel top; /* first free slot in the stack */ | 293 | StkIdRel top; /* first free slot in the stack */ |
| 295 | struct global_State *l_G; | 294 | struct global_State *l_G; |
| 296 | CallInfo *ci; /* call info for current function */ | 295 | CallInfo *ci; /* call info for current function */ |
| @@ -306,6 +305,7 @@ struct lua_State { | |||
| 306 | ptrdiff_t errfunc; /* current error handling function (stack index) */ | 305 | ptrdiff_t errfunc; /* current error handling function (stack index) */ |
| 307 | l_uint32 nCcalls; /* number of nested non-yieldable or C calls */ | 306 | l_uint32 nCcalls; /* number of nested non-yieldable or C calls */ |
| 308 | int oldpc; /* last pc traced */ | 307 | int oldpc; /* last pc traced */ |
| 308 | int nci; /* number of items in 'ci' list */ | ||
| 309 | int basehookcount; | 309 | int basehookcount; |
| 310 | int hookcount; | 310 | int hookcount; |
| 311 | volatile l_signalT hookmask; | 311 | volatile l_signalT hookmask; |
| @@ -152,9 +152,12 @@ LUA_API void *debug_realloc (void *ud, void *block, | |||
| 152 | */ | 152 | */ |
| 153 | 153 | ||
| 154 | 154 | ||
| 155 | /* make stack-overflow tests run faster */ | 155 | /* |
| 156 | ** Reduce maximum stack size to make stack-overflow tests run faster. | ||
| 157 | ** (But value is still large enough to overflow smaller integers.) | ||
| 158 | */ | ||
| 156 | #undef LUAI_MAXSTACK | 159 | #undef LUAI_MAXSTACK |
| 157 | #define LUAI_MAXSTACK 50000 | 160 | #define LUAI_MAXSTACK 68000 |
| 158 | 161 | ||
| 159 | 162 | ||
| 160 | /* test mode uses more stack space */ | 163 | /* test mode uses more stack space */ |
diff --git a/testes/coroutine.lua b/testes/coroutine.lua index 78b9bdca..abc08039 100644 --- a/testes/coroutine.lua +++ b/testes/coroutine.lua | |||
| @@ -127,6 +127,18 @@ assert(#a == 22 and a[#a] == 79) | |||
| 127 | x, a = nil | 127 | x, a = nil |
| 128 | 128 | ||
| 129 | 129 | ||
| 130 | do -- "bug" in 5.4.2 | ||
| 131 | local function foo () foo () end -- just create a stack overflow | ||
| 132 | local co = coroutine.create(foo) | ||
| 133 | -- running this coroutine would overflow the unsigned short 'nci', the | ||
| 134 | -- counter of CallInfo structures available to the thread. | ||
| 135 | -- (The issue only manifests in an 'assert'.) | ||
| 136 | local st, msg = coroutine.resume(co) | ||
| 137 | assert(string.find(msg, "stack overflow")) | ||
| 138 | assert(coroutine.status(co) == "dead") | ||
| 139 | end | ||
| 140 | |||
| 141 | |||
| 130 | print("to-be-closed variables in coroutines") | 142 | print("to-be-closed variables in coroutines") |
| 131 | 143 | ||
| 132 | local function func2close (f) | 144 | local function func2close (f) |