CVE-2019-6706: use-after-free in lua_upvaluejoin function Upstream-Status: Backport http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html CVE: CVE-2019-6706 Affects < 5.3.5 Signed-off-by: Armin Kuster Index: lua-5.3.4/src/lapi.c =================================================================== --- lua-5.3.4.orig/src/lapi.c +++ lua-5.3.4/src/lapi.c @@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State * LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1, int fidx2, int n2) { - LClosure *f1; - UpVal **up1 = getupvalref(L, fidx1, n1, &f1); + UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */ UpVal **up2 = getupvalref(L, fidx2, n2, NULL); + if (*up1 == *up2) return; /* Already joined */ + (*up2)->refcount++; + if (upisopen(*up2)) (*up2)->u.open.touched = 1; + luaC_upvalbarrier(L, *up2); luaC_upvdeccount(L, *up1); *up1 = *up2; - (*up1)->refcount++; - if (upisopen(*up1)) (*up1)->u.open.touched = 1; - luaC_upvalbarrier(L, *up1); }