From 22974326ca0d4f893849ce722cc1d65b3e228f42 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 13 Mar 2025 15:30:52 -0300
Subject: Use after free in 'luaV_finishset'

If a metatable is a weak table, its __newindex field could be collected
by an emergency collection while being used in 'luaV_finishset'. (This
bug has similarities with bug 5.3.2-1, fixed in commit a272fa66.)
---
 testes/events.lua | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'testes')

diff --git a/testes/events.lua b/testes/events.lua
index 2500fbd5..7e434b1f 100644
--- a/testes/events.lua
+++ b/testes/events.lua
@@ -379,6 +379,17 @@ x = 0 .."a".."b"..c..d.."e".."f".."g"
 assert(x.val == "0abcdefg")
 
 
+do
+  -- bug since 5.4.1 (test needs T)
+  local mt = setmetatable({__newindex={}}, {__mode='v'})
+  local t = setmetatable({}, mt)
+
+  if T then T.allocfailnext() end
+
+  -- seg. fault
+  for i=1, 10 do t[i] = 1 end
+end
+
 -- concat metamethod x numbers (bug in 5.1.1)
 c = {}
 local x
@@ -481,7 +492,7 @@ assert(not pcall(function (a,b) return a[b] end, a, 10))
 assert(not pcall(function (a,b,c) a[b] = c end, a, 10, true))
 
 -- bug in 5.1
-T, K, V = nil
+local T, K, V = nil
 grandparent = {}
 grandparent.__newindex = function(t,k,v) T=t; K=k; V=v end
 
-- 
cgit v1.2.3-55-g6feb