Use after free in 'luaV_finishset'

If a metatable is a weak table, its __newindex field could be collected by an emergency collection while being used in 'luaV_finishset'. (This bug has similarities with bug 5.3.2-1, fixed in commit a272fa66.)
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2025-03-13 15:30:52 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2025-03-13 15:30:52 -0300
commit: 22974326ca0d4f893849ce722cc1d65b3e228f42 (patch)
tree: 1b4cb2cad1c55edce63e9fe6e468b1833950397d /lapi.c
parent: c931d86e98da320c71da70c16d44aa28e9755520 (diff)
download: lua-22974326ca0d4f893849ce722cc1d65b3e228f42.tar.gz
lua-22974326ca0d4f893849ce722cc1d65b3e228f42.tar.bz2
lua-22974326ca0d4f893849ce722cc1d65b3e228f42.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/lapi.c b/lapi.c
index a5e94507..eab12cac 100644
--- a/lapi.c
+++ b/lapi.c
@@ -681,6 +681,11 @@ static int auxgetstr (lua_State *L, const TValue *t, const char *k) {
 }
+/*
+** The following function assumes that the registry cannot be a weak
+** table, so that en mergency collection while using the global table
+** cannot collect it.
+*/
 static void getGlobalTable (lua_State *L, TValue *gt) {
  Table *registry = hvalue(&G(L)->l_registry);
  lu_byte tag = luaH_getint(registry, LUA_RIDX_GLOBALS, gt);
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2025-03-13 15:30:52 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2025-03-13 15:30:52 -0300
commit	22974326ca0d4f893849ce722cc1d65b3e228f42 (patch)
tree	1b4cb2cad1c55edce63e9fe6e468b1833950397d /lapi.c
parent	c931d86e98da320c71da70c16d44aa28e9755520 (diff)
download	lua-22974326ca0d4f893849ce722cc1d65b3e228f42.tar.gz lua-22974326ca0d4f893849ce722cc1d65b3e228f42.tar.bz2 lua-22974326ca0d4f893849ce722cc1d65b3e228f42.zip