From 934fdd481ced3a9d4a7aaace4479ce889ab23582 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Wed, 27 Aug 2025 14:58:02 -0300
Subject: Bug: Constructors with nils can overflow counters

---
 lparser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lparser.c b/lparser.c
index 1ac82990..f4bfc963 100644
--- a/lparser.c
+++ b/lparser.c
@@ -940,6 +940,8 @@ static void constructor (LexState *ls, expdesc *t) {
     if (ls->t.token == '}') break;
     closelistfield(fs, &cc);
     field(ls, &cc);
+    checklimit(fs, cc.tostore + cc.na + cc.nh, INT_MAX/2,
+               "items in a constructor");
   } while (testnext(ls, ',') || testnext(ls, ';'));
   check_match(ls, '}', '{', line);
   lastlistfield(fs, &cc);
-- 
cgit v1.2.3-55-g6feb