1 files changed, 17 insertions, 1 deletions

diff --git a/src/lj_lex.c b/src/lj_lex.c
index d87a49dc..669d2dfe 100644
--- a/src/lj_lex.c
+++ b/src/lj_lex.c
@@ -411,6 +411,7 @@ static int llex(LexState *ls, TValue *tv)
 /* Setup lexer state. */
 int lj_lex_setup(lua_State *L, LexState *ls)
 {
+  int header = 0;
   ls->L = L;
   ls->fs = NULL;
   ls->n = 0;
@@ -430,6 +431,7 @@ int lj_lex_setup(lua_State *L, LexState *ls)
     ls->n -= 2;
     ls->p += 2;
     next(ls);
+    header = 1;
   }
   if (ls->current == '#') {  /* Skip POSIX #! header line. */
     do {
@@ -437,8 +439,22 @@ int lj_lex_setup(lua_State *L, LexState *ls)
       if (ls->current == END_OF_STREAM) return 0;
     } while (!currIsNewline(ls));
     inclinenumber(ls);
+    header = 1;
   }
-  return (ls->current == LUA_SIGNATURE[0]);  /* Bytecode dump? */
+  if (ls->current == LUA_SIGNATURE[0]) {  /* Bytecode dump. */
+    if (header) {
+      /*
+      ** Loading bytecode with an extra header is disabled for security
+      ** reasons. This may circumvent the usual check for bytecode vs.
+      ** Lua code by looking at the first char. Since this is a potential
+      ** security violation no attempt is made to echo the chunkname either.
+      */
+      setstrV(L, L->top++, lj_err_str(L, LJ_ERR_BCHEAD));
+      lj_err_throw(L, LUA_ERRSYNTAX);
+    }
+    return 1;
+  }
+  return 0;
 }
 
 /* Cleanup lexer state. */