Re: [wxlua-users] Potential memory fault in wxLua

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat, Aug 10, 2013 at 3:41 PM, Andreas Falkenhahn
<an...@fa...>wrote:

> Hi,
>
> I've just seen that there seems to be a potential memory access fault in
> wxLua in
> wxlua_getchararray() in wxlstate.cpp. Have a look at this code:
>
>         int table_len = lua_objlen(L, stack_idx);
>         if (table_len > 0)
>             arrChar = new const char *[table_len];
>
>         if (arrChar != NULL)
>         {
>             for (int n = 0; n < table_len; ++n)
>             {
>                 lua_rawgeti(L, stack_idx, n+1); // Lua array starts at 1
>                 const char *s = wxlua_getstringtype(L, -1);
>                 arrChar[n] = s; // share Lua string
>                 lua_pop(L, 1);
>             }
>         }
>
> You can see here that the pointer returned by lua_tostring() [which is
> usually
> called by wxlua_getstringtype()] is stored inside arrChar[n] here and then
> the string is popped from the stack. But AFAIK lua guidelines say that
> pointers
> only remain valid as long as they're on the stack. Once they've been
> popped,
> they could become invalid at any time. Thus, the code posted above could
> lead to a memory access fault under certain conditions.
>

The string exists also in the Lua table where it was pushed on the stack
from and it should definitely live for the life of this and its parent's
function call. Now if you find a place where this function is called and
the return value is stored for use later after more Lua code could be run
that could be a problem.

Regards,
    John