3131N/AAn overflow flaw was fixed in Lua 5.2.2:

3131N/A

3131N/A http://www.lua.org/bugs.html#5.2.2-1

3131N/A

3131N/AThis could cause the application to crash or, potentially, execute arbitrary

3131N/Acode. One way an attacker could trigger this issue is if they can control

3131N/Aparameters to a loadstring call (an eval in Lua,

3131N/Ahttp://en.wikipedia.org/wiki/Eval#Lua).

3131N/A

3131N/ASee also:

3131N/A

3131N/A https://bugzilla.redhat.com/show_bug.cgi?id=1132304

3131N/A

3131N/A--- src/ldo.c.orig 2014-08-31 09:13:13.318213607 -0700

3131N/A+++ src/ldo.c 2014-08-31 09:23:49.433127527 -0700

3131N/A@@ -323,7 +323,7 @@

3131N/A case LUA_TLCL: { /* Lua function: prepare its call */

3131N/A StkId base;

3131N/A Proto *p = clLvalue(func)->p;

3131N/A- luaD_checkstack(L, p->maxstacksize);

3131N/A+ luaD_checkstack(L, p->maxstacksize + p->numparams);

3131N/A func = restorestack(L, funcr);

3131N/A n = cast_int(L->top - func) - 1; /* number of real arguments */

3131N/A for (; n < p->numparams; n++)