lua: update to the latest bugfix patch

Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

12 files changed, 426 insertions, 0 deletions

diff --git a/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
new file mode 100644
index 000000000..afd36d296
--- /dev/null
+++ b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
@@ -0,0 +1,11 @@
+From 293f82d33cd67b7f48e078788af6a4b2887c16bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:05:35 +0100
+Subject: [PATCH 01/11] Maliciously crafted precompiled code can crash Lua
+
+Comes from http://www.lua.org/bugs.html#5.1.4-1
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
diff --git a/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch
new file mode 100644
index 000000000..428dcfd4e
--- /dev/null
+++ b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch
@@ -0,0 +1,12 @@
+From e5973b1ca3ad83d500f0c85abb78b2a0bf5fbdc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:07:18 +0100
+Subject: [PATCH 02/11] It is possible to create functions that return too many arguments and
+ overflow the stack of C functions.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-2
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
diff --git a/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
new file mode 100644
index 000000000..894258719
--- /dev/null
+++ b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
@@ -0,0 +1,72 @@
+From b40f5fc4341153fc53fa2d0e839223944b022e6e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:10:56 +0100
+Subject: [PATCH 03/11] Wrong code generation for some particular boolean expressions. (see also
+ 9)
+
+Comes from http://www.lua.org/bugs.html#5.1.4-3
+
+ reported by Brian Kelley on 15 Apr 2009.
+ Example:
+ --
+ print(((1 or false) and true) or false)   --> 1, but should be 'true'
+ --
+
+Patch: (partial solution; see also 9)
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lcode.c b/src/lcode.c
+index cff626b..84f286b 100644
+--- a/src/lcode.c
++++ b/src/lcode.c
+@@ -544,15 +544,18 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) {
+       pc = NO_JUMP;  /* always true; do nothing */
+       break;
+     }
+-    case VFALSE: {
+-      pc = luaK_jump(fs);  /* always jump */
+-      break;
+-    }
+     case VJMP: {
+       invertjump(fs, e);
+       pc = e->u.s.info;
+       break;
+     }
++    case VFALSE: {
++      if (!hasjumps(e)) {
++        pc = luaK_jump(fs);  /* always jump */
++        break;
++      }
++      /* else go through */
++    }
+     default: {
+       pc = jumponcond(fs, e, 0);
+       break;
+@@ -572,14 +575,17 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) {
+       pc = NO_JUMP;  /* always false; do nothing */
+       break;
+     }
+-    case VTRUE: {
+-      pc = luaK_jump(fs);  /* always jump */
+-      break;
+-    }
+     case VJMP: {
+       pc = e->u.s.info;
+       break;
+     }
++    case VTRUE: {
++      if (!hasjumps(e)) {
++        pc = luaK_jump(fs);  /* always jump */
++        break;
++      }
++      /* else go through */
++    }
+     default: {
+       pc = jumponcond(fs, e, 1);
+       break;
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
new file mode 100644
index 000000000..7fa62f89b
--- /dev/null
+++ b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
@@ -0,0 +1,51 @@
+From 41f746c9be4330bac1466ab994f147aeef88675d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:13:59 +0100
+Subject: [PATCH 04/11] luaV_settable may invalidate a reference to a table and try to reuse it
+
+Comes from http://www.lua.org/bugs.html#5.1.4-4
+
+reported by Mark Feldman on 27 Jun 2009.
+Example:
+ --
+ grandparent = {}
+ grandparent.__newindex = function(s,_,_) print(s) end
+ 
+ parent = {}
+ parent.__newindex = parent
+ setmetatable(parent, grandparent)
+ 
+ child = setmetatable({}, parent)
+ child.foo = 10      --> (crash on some machines)
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lvm.c b/src/lvm.c
+index ee3256a..4ac2e71 100644
+--- a/src/lvm.c
++++ b/src/lvm.c
+@@ -133,6 +133,7 @@ void luaV_gettable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+ 
+ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+   int loop;
++  TValue temp;
+   for (loop = 0; loop < MAXTAGLOOP; loop++) {
+     const TValue *tm;
+     if (ttistable(t)) {  /* `t' is a table? */
+@@ -152,7 +153,9 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+       callTM(L, tm, t, key, val);
+       return;
+     }
+-    t = tm;  /* else repeat with `tm' */ 
++    /* else repeat with `tm' */
++    setobj(L, &temp, tm);  /* avoid pointing inside table (may rehash) */
++    t = &temp;
+   }
+   luaG_runerror(L, "loop in settable");
+ }
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
new file mode 100644
index 000000000..02052fdad
--- /dev/null
+++ b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
@@ -0,0 +1,32 @@
+From a0e82265587327b15635b61517601cb7c74de07e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:18:20 +0100
+Subject: [PATCH 05/11] debug.getfenv does not check whether it has an argument.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-5
+
+reported by Patrick Donnelly on 30 Jul 2009.
+Example:
+ --
+ debug.getfenv()   -- should raise an error
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/ldblib.c b/src/ldblib.c
+index 67de122..21116ac 100644
+--- a/src/ldblib.c
++++ b/src/ldblib.c
+@@ -45,6 +45,7 @@ static int db_setmetatable (lua_State *L) {
+ 
+ 
+ static int db_getfenv (lua_State *L) {
++  luaL_checkany(L, 1);
+   lua_getfenv(L, 1);
+   return 1;
+ }
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
new file mode 100644
index 000000000..841a917e4
--- /dev/null
+++ b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
@@ -0,0 +1,34 @@
+From 4a37f37706e3f89d379a827c8da646d34d136c3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:20:15 +0100
+Subject: [PATCH 06/11] GC may get stuck during parsing and avoids proper resizing of the string
+ table, making its lists grow too much and degrading performance.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-6
+
+ reported by Sean Conner on 10 Nov 2009.
+
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/llex.c b/src/llex.c
+index 6dc3193..92d6575 100644
+--- a/src/llex.c
++++ b/src/llex.c
+@@ -118,8 +118,10 @@ TString *luaX_newstring (LexState *ls, const char *str, size_t l) {
+   lua_State *L = ls->L;
+   TString *ts = luaS_newlstr(L, str, l);
+   TValue *o = luaH_setstr(L, ls->fs->h, ts);  /* entry for `str' */
+-  if (ttisnil(o))
++  if (ttisnil(o)) {
+     setbvalue(o, 1);  /* make sure `str' will not be collected */
++    luaC_checkGC(L);
++  }
+   return ts;
+ }
+ 
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch
new file mode 100644
index 000000000..122528e98
--- /dev/null
+++ b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch
@@ -0,0 +1,44 @@
+From ce47c22d52dcc4996c03e073ddf94398aa42411e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:21:46 +0100
+Subject: [PATCH 07/11] string.format may get buffer as an argument when there are missing
+ arguments and format string is too long.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-7
+
+reported by Roberto on 12 Apr 2010.
+Example:
+ --
+ x = string.rep("x", 10000) .. "%d"
+ print(string.format(x))    -- gives wrong error message
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lstrlib.c b/src/lstrlib.c
+index 1b4763d..fe452ce 100644
+--- a/src/lstrlib.c
++++ b/src/lstrlib.c
+@@ -754,6 +754,7 @@ static void addintlen (char *form) {
+ 
+ 
+ static int str_format (lua_State *L) {
++  int top = lua_gettop(L);
+   int arg = 1;
+   size_t sfl;
+   const char *strfrmt = luaL_checklstring(L, arg, &sfl);
+@@ -768,7 +769,8 @@ static int str_format (lua_State *L) {
+     else { /* format item */
+       char form[MAX_FORMAT];  /* to store the format (`%...') */
+       char buff[MAX_ITEM];  /* to store the formatted item */
+-      arg++;
++      if (++arg > top)
++        luaL_argerror(L, arg, "no value");
+       strfrmt = scanformat(L, strfrmt, form);
+       switch (*strfrmt++) {
+         case 'c': {
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
new file mode 100644
index 000000000..080c18f60
--- /dev/null
+++ b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
@@ -0,0 +1,37 @@
+From 224bbe29a295851544712b4470f7a48f338cddaa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:23:53 +0100
+Subject: [PATCH 08/11] io.read("*n", "*n") may return garbage if second read fails.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-8
+
+reported by Roberto on 12 Apr 2010.
+Example:
+ --
+ print(io.read("*n", "*n"))   --<< enter "10   hi"
+ --> file (0x884420)	nil
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/liolib.c b/src/liolib.c
+index e79ed1c..8de2547 100644
+--- a/src/liolib.c
++++ b/src/liolib.c
+@@ -276,7 +276,10 @@ static int read_number (lua_State *L, FILE *f) {
+     lua_pushnumber(L, d);
+     return 1;
+   }
+-  else return 0;  /* read fails */
++  else {
++    lua_pushnil(L);  /* "result" to be removed */
++    return 0;  /* read fails */
++  }
+ }
+ 
+ 
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
new file mode 100644
index 000000000..0ebb3d732
--- /dev/null
+++ b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
@@ -0,0 +1,55 @@
+From 14c92823c5877a458ddcfa2c90d0b03ea873baa3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:25:18 +0100
+Subject: [PATCH 09/11] Wrong code generation for some particular boolean expressions.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-9
+
+reported by Thierry Van Elsuwe on 20 Jan 2011.
+Example:
+ --
+ print((('hi' or true) and true) or true)
+ --> hi     (should be true)
+ print(((nil and nil) or false) and true)
+ --> nil    (should be false)
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lcode.c b/src/lcode.c
+index 84f286b..c13066e 100644
+--- a/src/lcode.c
++++ b/src/lcode.c
+@@ -549,13 +549,6 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) {
+       pc = e->u.s.info;
+       break;
+     }
+-    case VFALSE: {
+-      if (!hasjumps(e)) {
+-        pc = luaK_jump(fs);  /* always jump */
+-        break;
+-      }
+-      /* else go through */
+-    }
+     default: {
+       pc = jumponcond(fs, e, 0);
+       break;
+@@ -579,13 +572,6 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) {
+       pc = e->u.s.info;
+       break;
+     }
+-    case VTRUE: {
+-      if (!hasjumps(e)) {
+-        pc = luaK_jump(fs);  /* always jump */
+-        break;
+-      }
+-      /* else go through */
+-    }
+     default: {
+       pc = jumponcond(fs, e, 1);
+       break;
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
new file mode 100644
index 000000000..c6ce00186
--- /dev/null
+++ b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
@@ -0,0 +1,36 @@
+From 81ff350a91cb1c248e96366eed3049386c5f2cba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:27:04 +0100
+Subject: [PATCH 10/11] __newindex metamethod may not work if metatable is its own metatable.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-10
+
+reported by Cuero Bugot on 09 Aug 2011.
+Example:
+ --
+ meta={}
+ setmetatable(meta, meta)
+ meta.__newindex = function(t, key, value) print("set") end
+ o = setmetatable({}, meta)
+ o.x = 10    -- should print 'set'
+ --
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lvm.c b/src/lvm.c
+index 4ac2e71..ca7bea0 100644
+--- a/src/lvm.c
++++ b/src/lvm.c
+@@ -142,6 +142,7 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+       if (!ttisnil(oldval) ||  /* result is no nil? */
+           (tm = fasttm(L, h->metatable, TM_NEWINDEX)) == NULL) { /* or no TM? */
+         setobj2t(L, oldval, val);
++        h->flags = 0;
+         luaC_barriert(L, h, val);
+         return;
+       }
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch
new file mode 100644
index 000000000..e3785c990
--- /dev/null
+++ b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch
@@ -0,0 +1,31 @@
+From 23449ee61f062a18926f11a216f9906155f259b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:28:19 +0100
+Subject: [PATCH 11/11] Parser may collect a prototype while building it.
+
+Comes from http://www.lua.org/bugs.html#5.1.4-11
+
+reported by Ingo van Lil on 13 Oct 2011.
+
+Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
+
+---
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 1e2a9a8..a2721d2 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -374,9 +374,9 @@ static void close_func (LexState *ls) {
+   lua_assert(luaG_checkcode(f));
+   lua_assert(fs->bl == NULL);
+   ls->fs = fs->prev;
+-  L->top -= 2;  /* remove table and prototype from the stack */
+   /* last token read was anchored in defunct function; must reanchor it */
+   if (fs) anchor_token(ls);
++  L->top -= 2;  /* remove table and prototype from the stack */
+ }
+ 
+ 
+-- 
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/series b/patches/lua-5.1.4/series
index 2c51e37c2..5f3e6b417 100644
--- a/patches/lua-5.1.4/series
+++ b/patches/lua-5.1.4/series
@@ -1,3 +1,14 @@
 remove-Makefile.diff
 autoconfize.diff
 automakize.diff
+#0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
+#0002-It-is-possible-to-create-functions-that-return-too-m.patch
+0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
+0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
+0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
+0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
+0007-string.format-may-get-buffer-as-an-argument-when-the.patch
+0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
+0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
+0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
+0011-Parser-may-collect-a-prototype-while-building-it.patch