From abcc124df05fe19470abdb9d665160a7e3b01495 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Wed, 28 Nov 2007 16:27:38 -0200
Subject: BUG: lua_setfenv may crash if called over an invalid object

---
 bugs   | 21 +++++++++++++++++++++
 lapi.c |  4 ++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/bugs b/bugs
index ed2eb666..fe6b2b81 100644
--- a/bugs
+++ b/bugs
@@ -1594,6 +1594,27 @@ ltablib.c:
 ]],
 }
 
+Bug{
+what = [[lua_setfenv may crash if called over an invalid object]],
+report = [[Mike Pall, on 11/2007]],
+since = [[5.1]],
+example = [[
+> debug.setfenv(3, {})
+]],
+patch = [[
+lapi.c:
+@@ -749,7 +749,7 @@
+       res = 0;
+       break;
+   }
+-  luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
++  if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
+   L->top--;
+   lua_unlock(L);
+   return res;
+]],
+}
+
 Bug{
 what = [[ ]],
 report = [[ , on ]],
diff --git a/lapi.c b/lapi.c
index 50b738ce..bb9927d9 100644
--- a/lapi.c
+++ b/lapi.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lapi.c,v 2.60 2007/04/17 13:19:53 roberto Exp roberto $
+** $Id: lapi.c,v 2.61 2007/08/07 16:53:40 roberto Exp roberto $
 ** Lua API
 ** See Copyright Notice in lua.h
 */
@@ -733,7 +733,7 @@ LUA_API int lua_setfenv (lua_State *L, int idx) {
       res = 0;
       break;
   }
-  luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
+  if (res) luaC_objbarrier(L, gcvalue(o), hvalue(L->top - 1));
   L->top--;
   lua_unlock(L);
   return res;
-- 
cgit v1.2.3-55-g6feb