From: Mike Pall <mike>
Date: Wed, 28 May 2025 19:13:17 +0000 (+0200)
Subject: Fix JIT slot overflow during up-recursion.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=048972dbfdb6b441fe8a9bfe4d1f048966579ba8;p=thirdparty%2FLuaJIT.git

Fix JIT slot overflow during up-recursion.

Reported by Sergey Kaplun. #1358
---

diff --git a/src/lj_record.c b/src/lj_record.c
index d336f642..1d535a22 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -749,7 +749,8 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults)
       lj_trace_err(J, LJ_TRERR_LLEAVE);
     } else if (J->needsnap) {  /* Tailcalled to ff with side-effects. */
       lj_trace_err(J, LJ_TRERR_NYIRETL);  /* No way to insert snapshot here. */
-    } else if (1 + pt->framesize >= LJ_MAX_JSLOTS) {
+    } else if (1 + pt->framesize >= LJ_MAX_JSLOTS ||
+	       J->baseslot + J->maxslot >= LJ_MAX_JSLOTS) {
       lj_trace_err(J, LJ_TRERR_STACKOV);
     } else {  /* Return to lower frame. Guard for the target we return to. */
       TRef trpt = lj_ir_kgc(J, obj2gco(pt), IRT_PROTO);