aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoberto Ierusalimschy <roberto@inf.puc-rio.br>2025-02-26 11:31:10 -0300
committerRoberto Ierusalimschy <roberto@inf.puc-rio.br>2025-02-26 11:31:10 -0300
commitf9e35627ed26dff4114a1d01ff113d8b4cc91ab5 (patch)
treead817f574adcd2d57720c8a498626919b85e6e78
parentceac82f78be8baeddfa8536472d8b08df2eb7d49 (diff)
downloadlua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.tar.gz
lua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.tar.bz2
lua-f9e35627ed26dff4114a1d01ff113d8b4cc91ab5.zip
'lua_State.nci' must be an integer
Lua can easily overflow an unsigned short counting nested calls. (The limit to this value is the maximum stack size, LUAI_MAXSTACK, which is currently 1e6.)
-rw-r--r--lstate.h2
-rw-r--r--ltests.h7
-rw-r--r--testes/coroutine.lua12
3 files changed, 18 insertions, 3 deletions
diff --git a/lstate.h b/lstate.h
index 050fc35f..f841c232 100644
--- a/lstate.h
+++ b/lstate.h
@@ -290,7 +290,6 @@ struct lua_State {
290 CommonHeader; 290 CommonHeader;
291 lu_byte allowhook; 291 lu_byte allowhook;
292 TStatus status; 292 TStatus status;
293 unsigned short nci; /* number of items in 'ci' list */
294 StkIdRel top; /* first free slot in the stack */ 293 StkIdRel top; /* first free slot in the stack */
295 struct global_State *l_G; 294 struct global_State *l_G;
296 CallInfo *ci; /* call info for current function */ 295 CallInfo *ci; /* call info for current function */
@@ -306,6 +305,7 @@ struct lua_State {
306 ptrdiff_t errfunc; /* current error handling function (stack index) */ 305 ptrdiff_t errfunc; /* current error handling function (stack index) */
307 l_uint32 nCcalls; /* number of nested non-yieldable or C calls */ 306 l_uint32 nCcalls; /* number of nested non-yieldable or C calls */
308 int oldpc; /* last pc traced */ 307 int oldpc; /* last pc traced */
308 int nci; /* number of items in 'ci' list */
309 int basehookcount; 309 int basehookcount;
310 int hookcount; 310 int hookcount;
311 volatile l_signalT hookmask; 311 volatile l_signalT hookmask;
diff --git a/ltests.h b/ltests.h
index df72307a..cc372b8f 100644
--- a/ltests.h
+++ b/ltests.h
@@ -152,9 +152,12 @@ LUA_API void *debug_realloc (void *ud, void *block,
152*/ 152*/
153 153
154 154
155/* make stack-overflow tests run faster */ 155/*
156** Reduce maximum stack size to make stack-overflow tests run faster.
157** (But value is still large enough to overflow smaller integers.)
158*/
156#undef LUAI_MAXSTACK 159#undef LUAI_MAXSTACK
157#define LUAI_MAXSTACK 50000 160#define LUAI_MAXSTACK 68000
158 161
159 162
160/* test mode uses more stack space */ 163/* test mode uses more stack space */
diff --git a/testes/coroutine.lua b/testes/coroutine.lua
index 78b9bdca..abc08039 100644
--- a/testes/coroutine.lua
+++ b/testes/coroutine.lua
@@ -127,6 +127,18 @@ assert(#a == 22 and a[#a] == 79)
127x, a = nil 127x, a = nil
128 128
129 129
130do -- "bug" in 5.4.2
131 local function foo () foo () end -- just create a stack overflow
132 local co = coroutine.create(foo)
133 -- running this coroutine would overflow the unsigned short 'nci', the
134 -- counter of CallInfo structures available to the thread.
135 -- (The issue only manifests in an 'assert'.)
136 local st, msg = coroutine.resume(co)
137 assert(string.find(msg, "stack overflow"))
138 assert(coroutine.status(co) == "dead")
139end
140
141
130print("to-be-closed variables in coroutines") 142print("to-be-closed variables in coroutines")
131 143
132local function func2close (f) 144local function func2close (f)