From 28c7e667aee9be8c3288597bcc179d9b4e7b4940 Mon Sep 17 00:00:00 2001
From: Nick Zavaritsky <mejedi@gmail.com>
Date: Fri, 25 Nov 2016 23:04:36 +0300
Subject: [PATCH] Fix gh-1955 use after free in lbox_error

---
 src/lua/utils.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/lua/utils.c b/src/lua/utils.c
index bf9508f414..a48d2c9647 100644
--- a/src/lua/utils.c
+++ b/src/lua/utils.c
@@ -910,7 +910,15 @@ lbox_error(lua_State *L)
 {
 	struct error *e = diag_last_error(&fiber()->diag);
 	assert(e != NULL);
+	/*
+	 * gh-1955 luaL_pusherror allocates Lua objects, thus it may trigger
+	 * GC. GC may invoke finalizers which are arbitrary Lua code,
+	 * potentially invalidating last error object, hence error_ref
+	 * below.
+	 */
+	error_ref(e);
 	luaL_pusherror(L, e);
+	error_unref(e);
 	lua_error(L);
 	assert(0); /* unreachable */
 	return 0;
-- 
GitLab