From 983bc433e6a60cbc4fe3a16f1d4713bacb8e3509 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 13 Mar 2025 15:42:39 -0300
Subject: Bug: Use after free in 'luaV_finishset'

If a metatable is a weak table, its __newindex field could be collected
by an emergency collection while being used in 'luaV_finishset'. (This
bug has similarities with bug 5.3.2-1, fixed in commit a272fa66.)
---
 testes/events.lua | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'testes')

diff --git a/testes/events.lua b/testes/events.lua
index 8d8563b9..def13dc8 100644
--- a/testes/events.lua
+++ b/testes/events.lua
@@ -370,6 +370,19 @@ x = 0 .."a".."b"..c..d.."e".."f".."g"
 assert(x.val == "0abcdefg")
 
 
+do
+  -- bug since 5.4.1
+  local mt = setmetatable({__newindex={}}, {__mode='v'})
+  local t = setmetatable({}, mt)
+
+  if T then T.allocfailnext() end
+
+  -- seg. fault
+  for i=1, 10 do t[i] = 1 end
+end
+
+
+
 -- concat metamethod x numbers (bug in 5.1.1)
 c = {}
 local x
-- 
cgit v1.2.3-55-g6feb