<!DOCTYPE html>

<html data-lt-installed="true">

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body style="padding-bottom: 1px;">

    <p>Hello, Sergey,</p>

    <p>thanks for the patch!</p>

    <p>LGTM with minor comment below.</p>

    <p>Sergey<br>

    </p>

    <div class="moz-cite-prefix">On 6/5/25 12:41, Sergey Kaplun wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:20250605094105.21923-1-skaplun@tarantool.org">

      <pre wrap="" class="moz-quote-pre">From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry picked from commit 048972dbfdb6b441fe8a9bfe4d1f048966579ba8)

In the case when LuaJIT is recording the side trace after the

up-recursion call, there is no check that the updated `maxslot` value

doesn't overflow the `LJ_MAX_JSLOTS` limit. If it records several huge

returns in a row, the overflow of the aforementioned limit may occur.

This triggers an assertion failure in `rec_check_slots()`.

This patch fixes it by adding the corresponding check in the

`lj_record_ret()`.

Sergey Kaplun:

* added the description and the test for the problem

Part of tarantool/tarantool#11278</pre>

    </blockquote>

    Please add a "Closes tarantool/security#145".<br>

    <blockquote type="cite"

      cite="mid:20250605094105.21923-1-skaplun@tarantool.org">

      <pre wrap="" class="moz-quote-pre">

---

Branch: <a class="moz-txt-link-freetext" href="https://github.com/tarantool/luajit/tree/skaplun/lj-1358-jslot-overflow-uprecursion">https://github.com/tarantool/luajit/tree/skaplun/lj-1358-jslot-overflow-uprecursion</a>

Related issues:

* <a class="moz-txt-link-freetext" href="https://github.com/tarantool/tarantool/issues/11278">https://github.com/tarantool/tarantool/issues/11278</a>

* <a class="moz-txt-link-freetext" href="https://github.com/LuaJIT/LuaJIT/issues/1358">https://github.com/LuaJIT/LuaJIT/issues/1358</a></pre>

    </blockquote>

    <p>Also <a class="moz-txt-link-freetext" href="https://github.com/tarantool/security/issues/145">https://github.com/tarantool/security/issues/145</a>.</p>

    <p><br>

    </p>

    <p><snipped><br>

    </p>

    <br>

  </body>

  <lt-container></lt-container>

</html>