Handle partial snapshot restore due to stack overflow.

Reported by pwnhacker0x18. Fixed by Peter Cawley. #1196

diff --git a/src/lj_debug.c b/src/lj_debug.c
index bca1d7a5be5640c65e04b1f149ffcca9cd51e8f6..abb7572c18c8190dd969003a20e1326c8f198916 100644 (file)
--- a/src/lj_debug.c
+++ b/src/lj_debug.c
@@ -102,9 +102,12 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
   pos = proto_bcpos(pt, ins) - 1;
 #if LJ_HASJIT
   if (pos > pt->sizebc) {  /* Undo the effects of lj_trace_exit for JLOOP. */
-    GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));
-    lua_assert(bc_isret(bc_op(ins[-1])));
-    pos = proto_bcpos(pt, mref(T->startpc, const BCIns));
+    if (bc_isret(bc_op(ins[-1]))) {
+      GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));
+      pos = proto_bcpos(pt, mref(T->startpc, const BCIns));
+    } else {
+      pos = NO_BCPOS;  /* Punt in case of stack overflow. */
+    }
   }
 #endif
   return pos;

diff --git a/src/lj_trace.c b/src/lj_trace.c
index d015f2ab9267140effecbb220755611eeb6145a7..8385f3d1e1845154273f2d1fb9cbcc271d4be9fd 100644 (file)
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -788,8 +788,10 @@ int LJ_FASTCALL lj_trace_exit(jit_State *J, void *exptr)
   exd.J = J;
   exd.exptr = exptr;
   errcode = lj_vm_cpcall(L, NULL, &exd, trace_exit_cp);
-  if (errcode)
+  if (errcode) {
+    setcframe_pc(cframe_raw(L->cframe), L);  /* Point to any valid memory. */
     return -errcode;  /* Return negated error code. */
+  }
 
   lj_vmevent_send(L, TEXIT,
     lj_state_checkstack(L, 4+RID_NUM_GPR+RID_NUM_FPR+LUA_MINSTACK);