From ab859fe59b464a038a45552921cb2b23892343af Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Fri, 17 Mar 2023 15:52:09 -0300
Subject: Bug: Loading a corrupted binary file can segfault

The size of the list of upvalue names are stored separated from the
size of the list of upvalues, but they share the same array.
---
 lundump.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lundump.c')

diff --git a/lundump.c b/lundump.c
index aba93f82..02aed64f 100644
--- a/lundump.c
+++ b/lundump.c
@@ -248,6 +248,8 @@ static void loadDebug (LoadState *S, Proto *f) {
     f->locvars[i].endpc = loadInt(S);
   }
   n = loadInt(S);
+  if (n != 0)  /* does it have debug information? */
+    n = f->sizeupvalues;  /* must be this many */
   for (i = 0; i < n; i++)
     f->upvalues[i].name = loadStringN(S, f);
 }
-- 
cgit v1.2.3-55-g6feb