Check frame size limit before returning to a lower frame.

author Mike Pall <mike>

Sun, 10 Mar 2024 16:19:29 +0000 (17:19 +0100)

committer Mike Pall <mike>

Sun, 10 Mar 2024 16:19:29 +0000 (17:19 +0100)
author Mike Pall <mike>
Sun, 10 Mar 2024 16:19:29 +0000 (17:19 +0100)
committer Mike Pall <mike>
Sun, 10 Mar 2024 16:19:29 +0000 (17:19 +0100)
diff --git a/src/lj_record.c b/src/lj_record.c

index 0122105bfb01f9de682b158259a8c054456a733d..35e6d6e16afc67559e789f8a1c1dad883310e401 100644 (file)
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -749,6 +749,8 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults)
        lj_trace_err(J, LJ_TRERR_LLEAVE);
      } else if (J->needsnap) {  /* Tailcalled to ff with side-effects. */
        lj_trace_err(J, LJ_TRERR_NYIRETL);  /* No way to insert snapshot here. */
+    } else if (1 + pt->framesize >= LJ_MAX_JSLOTS) {
+      lj_trace_err(J, LJ_TRERR_STACKOV);
      } else {  /* Return to lower frame. Guard for the target we return to. */
        TRef trpt = lj_ir_kgc(J, obj2gco(pt), IRT_PROTO);
        TRef trpc = lj_ir_kptr(J, (void *)frame_pc(frame));