luajit/CVE-2020-24372-1.patch

From 12ab596997b9cb27846a5b254d11230c3f9c50c8 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sun, 9 Aug 2020 18:08:38 +0200
Subject: [PATCH] Fix handling of errors during snapshot restore.

---
 src/lj_trace.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lj_trace.c b/src/lj_trace.c
index 311baa73c..123e6eb83 100644
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -701,6 +701,8 @@ static TValue *trace_exit_cp(lua_State *L, lua_CFunction dummy, void *ud)
 {
   ExitDataCP *exd = (ExitDataCP *)ud;
   cframe_errfunc(L->cframe) = -1;  /* Inherit error function. */
+  /* Always catch error here. */
+  cframe_nres(L->cframe) = -2*LUAI_MAXSTACK*(int)sizeof(TValue);
   exd->pc = lj_snap_restore(exd->J, exd->exptr);
   UNUSED(dummy);
   return NULL;
fix CVE-2020-24372 2021-02-08 15:23:46 +08:00			`From 12ab596997b9cb27846a5b254d11230c3f9c50c8 Mon Sep 17 00:00:00 2001`
			`From: Mike Pall <mike>`
			`Date: Sun, 9 Aug 2020 18:08:38 +0200`
			`Subject: [PATCH] Fix handling of errors during snapshot restore.`

			`---`
			`src/lj_trace.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/src/lj_trace.c b/src/lj_trace.c`
			`index 311baa73c..123e6eb83 100644`
			`--- a/src/lj_trace.c`
			`+++ b/src/lj_trace.c`
			`@@ -701,6 +701,8 @@ static TValue trace_exit_cp(lua_State L, lua_CFunction dummy, void *ud)`
			`{`
			`ExitDataCP exd = (ExitDataCP )ud;`
			`cframe_errfunc(L->cframe) = -1; /* Inherit error function. */`
			`+ /* Always catch error here. */`
			`+ cframe_nres(L->cframe) = -2LUAI_MAXSTACK(int)sizeof(TValue);`
			`exd->pc = lj_snap_restore(exd->J, exd->exptr);`
			`UNUSED(dummy);`
			`return NULL;`