Possible NULL pointer dereference in lua_setlocal (Lua 5.4.6)

[武汉理工大学-周豪]

Hi,

I was going through the debug API in Lua 5.4.6 and noticed something that might be a bug, or at least an inconsistency.

In ldebug.c, the function lua_getlocal checks whether ar is NULL before using it:

c

if (ar == NULL) {
    /* handle the NULL case */
}

But lua_setlocal right below it doesn't have that check. It just goes ahead and accesses ar->i_ci directly:

c

name = luaG_findlocal(L, ar->i_ci, n, &pos);

So if someone calls lua_setlocal with ar = NULL (which the API allows as far as I can tell, since it's a public function and lua_getlocal already handles it), it'll segfault.

I haven't tested this in a real script yet, but it looks like an oversight. Maybe lua_setlocal should have the same NULL guard as lua_getlocal for consistency.

Quick fix would be adding something like:

c

if (ar == NULL) {
    lua_unlock(L);
    return NULL;
}

at the beginning of the function.

Not sure if this is intentional or just a missing check. Figured I'd mention it.

Thanks

[morganb]

Hello,

The lua_getlocal and lua_setlocal functions seem to have three actual usages:

- Set a local variable for a given activation record.
- Get the value and name of a local variable for a given activation record.
- Get the name of a parameter of a function on the stack.

And so we have:

- lua_setlocal requires ar != NULL, and sets the value of a variable from an activation record.
- lua_getlocal with ar != NULL gets the name and value of a variable from an activation record.
- lua_getlocal with ar == NULL gets the name of the parameter of a function on the stack.

The only thing I would suggest is to make the documentation a little clearer
is to modify the section in the lua_setlocal documentation that currently says
'Parameters ar and n are as in the function lua_getlocal' to make it clear that
lua_setlocal does require 'ar' not NULL.

--
You received this message because you are subscribed to the Google Groups "lua-l" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lua-l+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/lua-l/58144471.341a.19d84cb01dd.Coremail.haozhou_cs%40163.com.

[武汉理工大学-周豪]

Thank you all for the prompt and detailed responses.

I understand the distinction now: lua_setlocal is designed to always work with a valid activation record, while lua_getlocal has a dual purpose. My initial report was based on an inconsistency I noticed when comparing the two functions.

I agree that clarifying this requirement in the documentation for lua_setlocal would be very helpful for other users and would resolve this issue.

I also appreciate the additional discussion regarding the OP_GETVARG case. It's great to see the community's deep engagement with these details.

Thank you again for your valuable time and for the excellent work on Lua.

To view this discussion visit https://groups.google.com/d/msgid/lua-l/KL1PR02MB6500A619A5C4779AED12C23394242%40KL1PR02MB6500.apcprd02.prod.outlook.com.