From c4402b8bb78c8d4e8b59f963f0e15d8d5abd0302 Mon Sep 17 00:00:00 2001 From: KIMDONGYEON00 Date: Tue, 7 Oct 2025 16:02:57 +0900 Subject: [PATCH 1/4] Lua script may lead to remote code execution (CVE-2025-49844) Fix CVE-2025-49844 --- deps/lua/src/lparser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/deps/lua/src/lparser.c b/deps/lua/src/lparser.c index dda7488dc..ee7d90c90 100644 --- a/deps/lua/src/lparser.c +++ b/deps/lua/src/lparser.c @@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) { struct LexState lexstate; struct FuncState funcstate; lexstate.buff = buff; - luaX_setinput(L, &lexstate, z, luaS_new(L, name)); + TString *tname = luaS_new(L, name); + setsvalue2s(L, L->top, tname); + incr_top(L); + luaX_setinput(L, &lexstate, z, tname); open_func(&lexstate, &funcstate); funcstate.f->is_vararg = VARARG_ISVARARG; /* main func. is always vararg */ luaX_next(&lexstate); /* read first token */ chunk(&lexstate); check(&lexstate, TK_EOS); close_func(&lexstate); + --L->top; lua_assert(funcstate.prev == NULL); lua_assert(funcstate.f->nups == 0); lua_assert(lexstate.fs == NULL); From 2fcb98e572c916a2eca720309c4c9660ae6db95b Mon Sep 17 00:00:00 2001 From: KIMDONGYEON00 Date: Mon, 20 Oct 2025 19:50:44 +0900 Subject: [PATCH 2/4] LUA out-of-bound read (CVE-2025-46819) LUA out-of-bound read (CVE-2025-46819) --- deps/lua/src/llex.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/deps/lua/src/llex.c b/deps/lua/src/llex.c index 88c6790c0..09ad22616 100644 --- a/deps/lua/src/llex.c +++ b/deps/lua/src/llex.c @@ -207,7 +207,13 @@ static void read_numeral (LexState *ls, SemInfo *seminfo) { } -static int skip_sep (LexState *ls) { +/* +** reads a sequence '[=*[' or ']=*]', leaving the last bracket. +** If a sequence is well-formed, return its number of '='s + 2; otherwise, +** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...'). +*/ +static size_t skip_sep (LexState *ls) { + size_t count = 0; int count = 0; int s = ls->current; lua_assert(s == '[' || s == ']'); @@ -216,11 +222,13 @@ static int skip_sep (LexState *ls) { save_and_next(ls); count++; } - return (ls->current == s) ? count : (-count) - 1; -} + return (ls->current == s) ? count + 2 + : (count == 0) ? 1 + : 0; +} -static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) { +static void read_long_string (LexState *ls, SemInfo *seminfo, size_t sep) { int cont = 0; (void)(cont); /* avoid warnings when `cont' is not used */ save_and_next(ls); /* skip 2nd `[' */ @@ -270,8 +278,8 @@ static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) { } } endloop: if (seminfo) - seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep), - luaZ_bufflen(ls->buff) - 2*(2 + sep)); + seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep, + luaZ_bufflen(ls->buff) - 2 * sep); } @@ -346,9 +354,9 @@ static int llex (LexState *ls, SemInfo *seminfo) { /* else is a comment */ next(ls); if (ls->current == '[') { - int sep = skip_sep(ls); + size_t sep = skip_sep(ls); luaZ_resetbuffer(ls->buff); /* `skip_sep' may dirty the buffer */ - if (sep >= 0) { + if (sep >= 2) { read_long_string(ls, NULL, sep); /* long comment */ luaZ_resetbuffer(ls->buff); continue; @@ -360,13 +368,14 @@ static int llex (LexState *ls, SemInfo *seminfo) { continue; } case '[': { - int sep = skip_sep(ls); - if (sep >= 0) { + size_t sep = skip_sep(ls); + if (sep >= 2) { read_long_string(ls, seminfo, sep); return TK_STRING; } - else if (sep == -1) return '['; - else luaX_lexerror(ls, "invalid long string delimiter", TK_STRING); + else if (sep == 0) /* '[=...' missing second bracket */ + luaX_lexerror(ls, "invalid long string delimiter", TK_STRING); + return '['; } case '=': { next(ls); From 8a2c1aa9cd10f2c347bcd8e5764ce55440c0a89f Mon Sep 17 00:00:00 2001 From: KIMDONGYEON00 Date: Mon, 20 Oct 2025 19:58:08 +0900 Subject: [PATCH 3/4] Fix Lua Library (CVE-2025-46817) Fix Lua Library (CVE-2025-46817) --- deps/lua/src/lbaselib.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c index 2ab550bd4..26172d15b 100644 --- a/deps/lua/src/lbaselib.c +++ b/deps/lua/src/lbaselib.c @@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) { static int luaB_unpack (lua_State *L) { - int i, e, n; + int i, e; + unsigned int n; luaL_checktype(L, 1, LUA_TTABLE); i = luaL_optint(L, 2, 1); e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1)); if (i > e) return 0; /* empty range */ - n = e - i + 1; /* number of elements */ - if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */ + n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */ + if (n >= INT_MAX || !lua_checkstack(L, ++n)) return luaL_error(L, "too many results to unpack"); lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */ while (i++ < e) /* push arg[i + 1...e] */ From 8b92a9a9ade3503b01a826e005e626180ade626a Mon Sep 17 00:00:00 2001 From: KIMDONGYEON00 Date: Mon, 20 Oct 2025 19:59:00 +0900 Subject: [PATCH 4/4] Fix Lua Library (CVE-2025-46817) Fix Lua Library (CVE-2025-46817) --- deps/lua/src/ltable.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c index ec84f4fab..2fa4c952a 100644 --- a/deps/lua/src/ltable.c +++ b/deps/lua/src/ltable.c @@ -433,8 +433,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) { ** search function for integers */ const TValue *luaH_getnum (Table *t, int key) { - /* (1 <= key && key <= t->sizearray) */ - if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray)) + if (1 <= key && key <= t->sizearray) return &t->array[key-1]; else { lua_Number nk = cast_num(key);