aboutsummaryrefslogblamecommitdiffstats
path: root/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
blob: ea26696fda348027628ef7491e6113c26942ddd1 (plain) (tree)























                                                                                                        
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html

--- a/src/lapi.c
+++ b/src/lapi.c
@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
 
 LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
                                             int fidx2, int n2) {
-  LClosure *f1;
-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+  if (*up1 == *up2) return; /* Already joined */
+  (*up2)->refcount++;
+  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+  luaC_upvalbarrier(L, *up2);
   luaC_upvdeccount(L, *up1);
   *up1 = *up2;
-  (*up1)->refcount++;
-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
-  luaC_upvalbarrier(L, *up1);
 }