lua-llthreads
lua-llthreads copied to clipboard
Published
20 hours ago •
Neopallium
Neopallium
Possible NULL pointer dereference on Lua_LLThread__delete__meth??
Dear developers:
Our static analysis tool reports an NPD bug here, since this_idx1 may be null. It may be a false positive. Thank yo for your confirmation.
https://github.com/Neopallium/lua-llthreads/blob/8dcf3871d42e52332ced417680e27a6127fdcbb9/src/pre_generated-llthreads.nobj.c#L1788
static int Lua_LLThread__delete__meth(lua_State *L) {
int this_flags_idx1 = 0;
Lua_LLThread * this_idx1;
Lua_LLThread_child *child;
this_idx1 = obj_type_Lua_LLThread_delete(L,1,&(this_flags_idx1)); //execute obj_udata_luadelete_weak which may return null.
if(!(this_flags_idx1 & OBJ_UDATA_FLAG_OWN)) { return 0; }
/* if the thread has been started and has not been detached/joined. */
if((this_idx1->state & TSTATE_STARTED) == TSTATE_STARTED &&
(this_idx1->state & (TSTATE_DETACHED|TSTATE_JOINED)) == 0) {
...;
}
llthread_destroy(this_idx1);
return 0;
}
This method may return NULL.
static FUNC_UNUSED void *obj_udata_luadelete_weak(lua_State *L, int _index, obj_type *type, int *flags) {
void *obj;
obj_udata *ud = obj_udata_luacheck_internal(L, _index, &(obj), type, 0);
if(ud == NULL) return NULL;
*flags = ud->flags;
/* null userdata. */
ud->obj = NULL;
ud->flags = 0;
/* clear the metatable in invalidate userdata. */
lua_pushnil(L);
lua_setmetatable(L, _index);
/* get objects weak table. */
lua_pushlightuserdata(L, obj_udata_weak_ref_key);
lua_rawget(L, LUA_REGISTRYINDEX); /* weak ref table. */
/* remove object from weak table. */
lua_pushlightuserdata(L, obj);
lua_pushnil(L);
lua_rawset(L, -3);
return obj;
}
Sorry for the very long wait. The pointer can only be NULL if the flags are not set. With the flag check for OWN will cause the function to return.
if(!(this_flags_idx1 & OBJ_UDATA_FLAG_OWN)) { return 0; } This will always return zero when the pointer is NULL.
