Snippets Groups Projects

Commit 28ec245d authored 1 year ago by Vladimir Davydov Committed by Vladimir Davydov 1 year ago

lua: fix heap-use-after-free bug in tuple format constructor

Runtime tuple formats are reusable, which means that a tuple format
returned by runtime_tuple_format_new may not be brand new, but actually
be used by a Lua object. As a result, if we call any function that may
trigger Lua GC between runtime_tuple_format_new and tuple_format_ref,
the tuple format may be deleted, leading to a use-after-free bug. This
is what happens in lbox_tuple_format_new. Fix this issue by moving the
runtime_tuple_format_new call after the Lua object allocation.

Closes #8889

NO_DOC=bug fix
NO_TEST=difficult to reproduce, found by ASAN

parent 324872ab

Hide whitespace changes

Inline Side-by-side

Showing with 24 additions and 16 deletions

Дмитрий Кольцов @vifley
mentioned in commit 4123061b
· 1 year ago

mentioned in commit 4123061b

mentioned in commit 4123061bc95baa21e013ed1fd72867e4fcde8068

Toggle commit list
Georgy Moshkin @gmoshkin
mentioned in commit 46b33a7a
· 1 year ago

mentioned in commit 46b33a7a

mentioned in commit 46b33a7a7d0e29479a2249933f8a7aa3e7a8182a

Toggle commit list
Feodor Alexandrov @f.alexandrov
mentioned in commit 94fa1fb4
· 1 year ago

mentioned in commit 94fa1fb4

mentioned in commit 94fa1fb4cf200f1e6e81e0dbe7c9e5efb626347d

Toggle commit list

Please register or to comment