mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-01-04 08:12:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/main/lua5.4/fix-double-free.patch
Sören Tempel 2faa22f696
main/lua5.4: fix double-free 
Fixes #13694
2022-04-15 01:46:02 +02:00

57 lines
2.7 KiB
Diff
Raw Blame History

Lua5.4 frees the lineinfo memory twice. Once via combine() and once
via close_state() this causes a segfault on musl. The segfault double
free can be fixed by having combine assign NULL to f->lineinfo after
it has been freed. Thus not freeing it again in close_state().
Valgrind output for the double-free:
==29903== Invalid free() / delete / delete[] / realloc()
==29903== at 0x48A4B0D: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==29903== by 0x11E5D2: l_alloc (lauxlib.c:1014)
==29903== by 0x112F51: luaM_free_ (lmem.c:135)
==29903== by 0x11111B: luaF_freeproto (lfunc.c:271)
==29903== by 0x112ABB: deletelist (lgc.c:1494)
==29903== by 0x112ABB: luaC_freeallobjects (lgc.c:1511)
==29903== by 0x116D54: close_state (lstate.c:276)
==29903== by 0x10B549: main (luac.c:210)
==29903== Address 0x48ec220 is 0 bytes inside a block of size 10 free'd
==29903== at 0x48A4B0D: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==29903== by 0x11E5D2: l_alloc (lauxlib.c:1014)
==29903== by 0x112F51: luaM_free_ (lmem.c:135)
==29903== by 0x10C60C: combine (luac.c:158)
==29903== by 0x10C60C: pmain (luac.c:183)
==29903== by 0x10FF38: precallC (ldo.c:506)
==29903== by 0x11020C: luaD_precall (ldo.c:572)
==29903== by 0x110340: ccall (ldo.c:607)
==29903== by 0x10F7CA: luaD_rawrunprotected (ldo.c:144)
==29903== by 0x110668: luaD_pcall (ldo.c:926)
==29903== by 0x10DB2F: lua_pcallk (lapi.c:1067)
==29903== by 0x10B528: main (luac.c:209)
==29903== Block was alloc'd at
==29903== at 0x48A6FC9: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==29903== by 0x112F7E: luaM_realloc_ (lmem.c:166)
==29903== by 0x112FC5: luaM_saferealloc_ (lmem.c:180)
==29903== by 0x113074: luaM_shrinkvector_ (lmem.c:116)
==29903== by 0x114B02: close_func (lparser.c:764)
==29903== by 0x116B1B: mainfunc (lparser.c:1937)
==29903== by 0x116B1B: luaY_parser (lparser.c:1959)
==29903== by 0x10F718: f_parser (ldo.c:971)
==29903== by 0x10F7CA: luaD_rawrunprotected (ldo.c:144)
==29903== by 0x110668: luaD_pcall (ldo.c:926)
==29903== by 0x11074B: luaD_protectedparser (ldo.c:988)
==29903== by 0x10DC13: lua_load (lapi.c:1097)
==29903== by 0x10C5B1: combine (luac.c:151)
==29903== by 0x10C5B1: pmain (luac.c:183)
diff -upr lua5.4.4.orig/src/luac.c lua-5.4.4/src/luac.c
--- lua5.4.4.orig/src/luac.c 2022-04-14 20:57:01.927447850 +0200
+++ lua-5.4.4/src/luac.c 2022-04-14 20:57:35.260900910 +0200
@@ -156,6 +156,7 @@ static const Proto* combine(lua_State* L
if (f->p[i]->sizeupvalues>0) f->p[i]->upvalues[0].instack=0;
}
luaM_freearray(L,f->lineinfo,f->sizelineinfo);
+ f->lineinfo=NULL;
f->sizelineinfo=0;
return f;
}
Reference in New Issue View Git Blame Copy Permalink