equal
deleted
inserted
replaced
|
1 An overflow flaw was fixed in Lua 5.2.2: |
|
2 |
|
3 http://www.lua.org/bugs.html#5.2.2-1 |
|
4 |
|
5 This could cause the application to crash or, potentially, execute arbitrary |
|
6 code. One way an attacker could trigger this issue is if they can control |
|
7 parameters to a loadstring call (an eval in Lua, |
|
8 http://en.wikipedia.org/wiki/Eval#Lua). |
|
9 |
|
10 See also: |
|
11 |
|
12 https://bugzilla.redhat.com/show_bug.cgi?id=1132304 |
|
13 |
|
14 --- lua-5.1.4/src/ldo.c.orig 2014-08-31 09:15:30.815313542 -0700 |
|
15 +++ lua-5.1.4/src/ldo.c 2014-08-31 09:21:37.935417299 -0700 |
|
16 @@ -273,7 +273,7 @@ |
|
17 CallInfo *ci; |
|
18 StkId st, base; |
|
19 Proto *p = cl->p; |
|
20 - luaD_checkstack(L, p->maxstacksize); |
|
21 + luaD_checkstack(L, p->maxstacksize + p->numparams); |
|
22 func = restorestack(L, funcr); |
|
23 if (!p->is_vararg) { /* no varargs? */ |
|
24 base = func + 1; |