From 983bc433e6a60cbc4fe3a16f1d4713bacb8e3509 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 13 Mar 2025 15:42:39 -0300
Subject: Bug: Use after free in 'luaV_finishset'

If a metatable is a weak table, its __newindex field could be collected
by an emergency collection while being used in 'luaV_finishset'. (This
bug has similarities with bug 5.3.2-1, fixed in commit a272fa66.)
---
 lvm.c             |  3 +++
 testes/events.lua | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/lvm.c b/lvm.c
index fcd24e11..7023a04d 100644
--- a/lvm.c
+++ b/lvm.c
@@ -339,7 +339,10 @@ void luaV_finishset (lua_State *L, const TValue *t, TValue *key,
       lua_assert(isempty(slot));  /* slot must be empty */
       tm = fasttm(L, h->metatable, TM_NEWINDEX);  /* get metamethod */
       if (tm == NULL) {  /* no metamethod? */
+        sethvalue2s(L, L->top.p, h);  /* anchor 't' */
+        L->top.p++;  /* assume EXTRA_STACK */
         luaH_finishset(L, h, key, slot, val);  /* set new value */
+        L->top.p--;
         invalidateTMcache(h);
         luaC_barrierback(L, obj2gco(h), val);
         return;
diff --git a/testes/events.lua b/testes/events.lua
index 8d8563b9..def13dc8 100644
--- a/testes/events.lua
+++ b/testes/events.lua
@@ -370,6 +370,19 @@ x = 0 .."a".."b"..c..d.."e".."f".."g"
 assert(x.val == "0abcdefg")
 
 
+do
+  -- bug since 5.4.1
+  local mt = setmetatable({__newindex={}}, {__mode='v'})
+  local t = setmetatable({}, mt)
+
+  if T then T.allocfailnext() end
+
+  -- seg. fault
+  for i=1, 10 do t[i] = 1 end
+end
+
+
+
 -- concat metamethod x numbers (bug in 5.1.1)
 c = {}
 local x
-- 
cgit v1.2.3-55-g6feb