From 22974326ca0d4f893849ce722cc1d65b3e228f42 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 13 Mar 2025 15:30:52 -0300
Subject: Use after free in 'luaV_finishset'

If a metatable is a weak table, its __newindex field could be collected
by an emergency collection while being used in 'luaV_finishset'. (This
bug has similarities with bug 5.3.2-1, fixed in commit a272fa66.)
---
 lapi.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lapi.c')

diff --git a/lapi.c b/lapi.c
index a5e94507..eab12cac 100644
--- a/lapi.c
+++ b/lapi.c
@@ -681,6 +681,11 @@ static int auxgetstr (lua_State *L, const TValue *t, const char *k) {
 }
 
 
+/*
+** The following function assumes that the registry cannot be a weak
+** table, so that en mergency collection while using the global table
+** cannot collect it.
+*/
 static void getGlobalTable (lua_State *L, TValue *gt) {
   Table *registry = hvalue(&G(L)->l_registry);
   lu_byte tag = luaH_getint(registry, LUA_RIDX_GLOBALS, gt);
-- 
cgit v1.2.3-55-g6feb