Skip to content
Snippets Groups Projects
Commit 6508ddb7 authored by Maria's avatar Maria Committed by Nikita Pettik
Browse files

json: fix stack-use-after-scope in json_decode() 

Inside json_decode() struct luaL_serializer is allocated on stack, but
json context stores pointer to it:

   998	static int json_decode(lua_State *l)
   999	{
  ...
  1007	    if (lua_gettop(l) == 2) {
  1008	        struct luaL_serializer user_cfg = *luaL_checkserializer(l);
  1009	        luaL_serializer_parse_options(l, &user_cfg);
  1010	        lua_pop(l, 1);
  1011	        json.cfg = &user_cfg;
  1012      }

Later (for instance in json_decode_descend()), it can be dereferenced
which in turn results in stack-use-after-scope (object turns into
garbage right after scope is ended). To fix it let's simply avoid
allocating and copying luaL_serializer on stack and instead use pointer
to it.

Bug is found by ASAN: test app-tap/json.test.lua fails with enabled
ASAN. Current fix allows to pass all tests.

Thanks to @Korablev77 for the initial investigation.

Closes #4637
parent 4acdeeda
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment