main/lua5.3: upgrade to 5.3.5 and sec fix CVE-2019-6706

fixes #10255

1 files changed, 24 insertions, 0 deletions

diff --git a/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch b/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
new file mode 100644
index 0000000000..ea26696fda
--- /dev/null
+++ b/main/lua5.3/CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
@@ -0,0 +1,24 @@
+http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
+
+--- a/src/lapi.c
++++ b/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+