1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
CVE-2019-6706: use-after-free in lua_upvaluejoin function
Upstream-Status: Backport
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
CVE: CVE-2019-6706
Affects < 5.3.5
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: lua-5.3.4/src/lapi.c
===================================================================
--- lua-5.3.4.orig/src/lapi.c
+++ lua-5.3.4/src/lapi.c
@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
- LClosure *f1;
- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+ UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+ if (*up1 == *up2) return; /* Already joined */
+ (*up2)->refcount++;
+ if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+ luaC_upvalbarrier(L, *up2);
luaC_upvdeccount(L, *up1);
*up1 = *up2;
- (*up1)->refcount++;
- if (upisopen(*up1)) (*up1)->u.open.touched = 1;
- luaC_upvalbarrier(L, *up1);
}
|
