From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <maria.khaydich@tarantool.org>
Received: from smtpng2.m.smailru.net (smtpng2.m.smailru.net [94.100.179.3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 7E49546970F
 for <tarantool-patches@dev.tarantool.org>;
 Sat, 30 Nov 2019 00:36:25 +0300 (MSK)
From: Maria <maria.khaydich@tarantool.org>
Date: Sat, 30 Nov 2019 00:36:24 +0300
Message-Id: <20191129213624.35735-1-maria.khaydich@tarantool.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Tarantool-patches] [PATCH] Stack use after scope
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: tarantool-patches@dev.tarantool.org, georgy@tarantool.org

Json decode method allocated serializer struct on stack and referenced
it after scope.

Thanks to @Korablev77 for the initial investigation.

Closes #4637
---
 third_party/lua-cjson/lua_cjson.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/third_party/lua-cjson/lua_cjson.c b/third_party/lua-cjson/lua_cjson.c
index 3d7edbf28..3d25814f3 100644
--- a/third_party/lua-cjson/lua_cjson.c
+++ b/third_party/lua-cjson/lua_cjson.c
@@ -1005,10 +1005,10 @@ static int json_decode(lua_State *l)
                   "expected 1 or 2 arguments");
 
     if (lua_gettop(l) == 2) {
-        struct luaL_serializer user_cfg = *luaL_checkserializer(l);
-        luaL_serializer_parse_options(l, &user_cfg);
+        struct luaL_serializer *user_cfg = luaL_checkserializer(l);
+        luaL_serializer_parse_options(l, user_cfg);
         lua_pop(l, 1);
-        json.cfg = &user_cfg;
+        json.cfg = user_cfg;
     } else {
         json.cfg = luaL_checkserializer(l);
     }
-- 
2.20.1 (Apple Git-117)