diff options
Diffstat (limited to 'meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch')
-rw-r--r-- | meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch new file mode 100644 index 000000000..cfe48af5a --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | CVE-2019-6706: use-after-free in lua_upvaluejoin function | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html | ||
5 | CVE: CVE-2019-6706 | ||
6 | Affects < 5.3.5 | ||
7 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
8 | |||
9 | Index: lua-5.3.4/src/lapi.c | ||
10 | =================================================================== | ||
11 | --- lua-5.3.4.orig/src/lapi.c | ||
12 | +++ lua-5.3.4/src/lapi.c | ||
13 | @@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * | ||
14 | |||
15 | LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, | ||
16 | int fidx2, int n2) { | ||
17 | - LClosure *f1; | ||
18 | - UpVal **up1 = getupvalref(L, fidx1, n1, &f1); | ||
19 | + UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ | ||
20 | UpVal **up2 = getupvalref(L, fidx2, n2, NULL); | ||
21 | + if (*up1 == *up2) return; /* Already joined */ | ||
22 | + (*up2)->refcount++; | ||
23 | + if (upisopen(*up2)) (*up2)->u.open.touched = 1; | ||
24 | + luaC_upvalbarrier(L, *up2); | ||
25 | luaC_upvdeccount(L, *up1); | ||
26 | *up1 = *up2; | ||
27 | - (*up1)->refcount++; | ||
28 | - if (upisopen(*up1)) (*up1)->u.open.touched = 1; | ||
29 | - luaC_upvalbarrier(L, *up1); | ||
30 | } | ||
31 | |||
32 | |||