# CWE-476: NULL Pointer Dereference in luaL_loadstring Function

26 views
Skip to first unread message

checkmate

unread,
Jan 20, 2026, 12:15:58 PM (20 hours ago) Jan 20
to lua-l
  • Summary

    The luaL_loadstring function in the Lua library (lauxlib.c) contains a vulnerability that leads to a NULL pointer dereference.

    Vulnerability Details

    • CWE: CWE-476 (NULL Pointer Dereference)

    • Affected Function: luaL_loadstring

    • File: lauxlib.c

    • Version: 0b73ed8f083c99b5ff88e0822532db7ad8785881

    Description

    The luaL_loadstring function takes a parameter const char *s and immediately passes it to strlen(s):

    // Method: luaL_loadstring#553#555#lauxlib.c
    553: LUALIB_API int luaL_loadstring (lua_State *L, const char *s) {
    554:   return luaL_loadbuffer(L, s, strlen(s), s);
    555: }

    This function does not perform any validation to check if s is NULL before using it in strlen. If s is NULL, calling strlen will dereference it, resulting in undefined behavior, typically a crash.

    Data Flow Analysis

    • The source of the data is the parameter s, which flows directly to the sink strlen(s) without any checks or validations in between. The lack of sanitization means that if s is NULL, the program will attempt to access a non-existent memory location.

    Conclusion

    As observed through multiple analyses, the code is vulnerable, and there is no implicit sanitization provided by the Lua API. The direct data flow and the failure to validate the pointer before dereferencing it confirm the presence of CWE-476 vulnerability.

Reply all
Reply to author
Forward
0 new messages