An overflow flaw was fixed in Lua 5.2.2:
http://www.lua.org/bugs.html#5.2.2-1
This could cause the application to crash or, potentially, execute arbitrary
code. One way an attacker could trigger this issue is if they can control
parameters to a loadstring call (an eval in Lua,
See also:
--- src/ldo.c.orig 2014-08-31 09:13:13.318213607 -0700
+++ src/ldo.c 2014-08-31 09:23:49.433127527 -0700
@@ -323,7 +323,7 @@
case LUA_TLCL: { /* Lua function: prepare its call */
StkId base;
Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
n = cast_int(L->top - func) - 1; /* number of real arguments */
for (; n < p->numparams; n++)