Bug#616601: marked as done (tolua++-generated stub can leak a variable-size array on element type mismatch)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#616601: marked as done (tolua++-generated stub can leak a variable-size array on element type mismatch)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 23 Oct 2025 13:35:07 +0000
Message-id: <[🔎] handler.616601.D616601.1761226437663942.ackdone@bugs.debian.org>
Reply-to: 616601@bugs.debian.org
References: <[🔎] E1vBvRw-0046Z9-2H@fasolo.debian.org> <87ei6l8akq.fsf@Pulska.kon.iki.fi>

Your message dated Thu, 23 Oct 2025 13:33:52 +0000
with message-id <[🔎] E1vBvRw-0046Z9-2H@fasolo.debian.org>
and subject line Bug#1118544: Removed package(s) from unstable
has caused the Debian Bug report #616601,
regarding tolua++-generated stub can leak a variable-size array on element type mismatch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
616601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616601
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tolua++-generated stub can leak a variable-size array on element type mismatch
From: Kalle Olavi Niemitalo <kon@iki.fi>
Date: Sun, 06 Mar 2011 00:30:13 +0200
Message-id: <87ei6l8akq.fsf@Pulska.kon.iki.fi>

Package: libtolua++5.1-dev
Version: 1.0.93-1
Severity: normal

If a *.pkg file declares a function with a variable-size array
parameter, then the C++ stub generated by tolua++ allocates
the array with the Mtolua_new_dim macro, copies the contents
of the corresponding Lua table there, passes the array to the
C++ function, copies any modified contents back to the Lua
table, and frees the array with the Mtolua_delete_dim macro.
By default, these macros use the new[] and delete[] operators.

However, if the Lua table contains values that cannot be
converted to the element type of the C++ array, then the stub
notices this after it has allocated the array, and it calls
tolua_error, which indirectly calls longjmp and never returns.
The array is never freed in this case; that is a memory leak.
Because of the type mismatch error, the stub doesn't even call
the wrapped C++ function, so tolua++ cannot claim the bug is
in that function.

Here is a program that triggers the bug:

#include <cassert>
#include <tolua++.h>
#include "leak-tolua.h"

static int
bad_call(lua_State *state)
{
	int ret = luaL_loadstring(state, "func(42, {'not a number'})");
	assert(ret == 0);

	lua_call(state, 0, 0);
	return 0;
}

int
main(void)
{
	lua_State *state = luaL_newstate();
	assert(state != NULL);

	int openok = tolua_leak_open(state);
	assert(openok == 1);

	for (int i = 0; i < 10000; ++i)
	{
		int ret = lua_cpcall(state, bad_call, NULL);
		assert(ret == LUA_ERRRUN);
		lua_pop(state, 1);
	}

	lua_close(state);
	return 0;
}

$void func(int len, int array[]) {}

void func(int len, int array[len]);

TOLUAXX = tolua++5.1
CPPFLAGS = -I/usr/include/lua5.1
CXXFLAGS = -ggdb -Wall

leak: leak.cpp leak-tolua.cpp leak-tolua.h
	$(CXX) $(CPPFLAGS) $(CXXFLAGS) -o leak leak.cpp leak-tolua.cpp -ltolua++5.1 -llua5.1

leak-tolua.cpp leak-tolua.h: leak.pkg
	$(TOLUAXX) -o leak-tolua.cpp -H leak-tolua.h leak.pkg

.PHONY: clean
clean:
	$(RM) leak leak-tolua.cpp leak-tolua.h

==32489== Memcheck, a memory error detector
==32489== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==32489== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==32489== Command: ./leak
==32489== 
==32489== 
==32489== HEAP SUMMARY:
==32489==     in use at exit: 1,680,000 bytes in 10,000 blocks
==32489==   total heap usage: 201,998 allocs, 191,998 frees, 11,571,386 bytes allocated
==32489== 
==32489== 1,680,000 bytes in 10,000 blocks are definitely lost in loss record 1 of 1
==32489==    at 0x4C24A72: operator new[](unsigned long) (vg_replace_malloc.c:305)
==32489==    by 0x401C67: tolua_leak_func00(lua_State*) (leak-tolua.cpp:40)
==32489==    by 0x4E35A55: luaD_precall (ldo.c:319)
==32489==    by 0x4E40810: luaV_execute (lvm.c:587)
==32489==    by 0x4E35FC4: luaD_call (ldo.c:377)
==32489==    by 0x4E31305: lua_call (lapi.c:782)
==32489==    by 0x401AC8: bad_call(lua_State*) (leak.cpp:11)
==32489==    by 0x4E35A55: luaD_precall (ldo.c:319)
==32489==    by 0x4E35F68: luaD_call (ldo.c:376)
==32489==    by 0x4E35646: luaD_rawrunprotected (ldo.c:116)
==32489==    by 0x4E356C4: luaD_pcall (ldo.c:463)
==32489==    by 0x4E310B6: lua_cpcall (lapi.c:856)
==32489== 
==32489== LEAK SUMMARY:
==32489==    definitely lost: 1,680,000 bytes in 10,000 blocks
==32489==    indirectly lost: 0 bytes in 0 blocks
==32489==      possibly lost: 0 bytes in 0 blocks
==32489==    still reachable: 0 bytes in 0 blocks
==32489==         suppressed: 0 bytes in 0 blocks
==32489== 
==32489== For counts of detected and suppressed errors, rerun with: -v
==32489== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libtolua++5.1-dev depends on:
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  liblua5.1-0                   5.1.4-5    Simple, extensible, embeddable pro
ii  liblua5.1-0-dev [liblua5.1-de 5.1.4-5    Simple, extensible, embeddable pro

libtolua++5.1-dev recommends no packages.

libtolua++5.1-dev suggests no packages.

-- no debconf information

Attachment: pgpAj6cPjmkzh.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 616538-done@bugs.debian.org,616557-done@bugs.debian.org,616601-done@bugs.debian.org,737382-done@bugs.debian.org,1010294-done@bugs.debian.org,1024279-done@bugs.debian.org,968537-done@bugs.debian.org,

Cc: tolua++@packages.debian.org

Subject: Bug#1118544: Removed package(s) from unstable

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Date: Thu, 23 Oct 2025 13:33:52 +0000

Message-id: <[🔎] E1vBvRw-0046Z9-2H@fasolo.debian.org>
Version: 1.0.93-5+rm

Dear submitter,

as the package tolua++ has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1118544

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---

Reply to:

References:
- Bug#1118544: Removed package(s) from unstable
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Bug#737382: marked as done (libtolua++5.1-dev: Please build new package with upstream changes)
Next by Date: Bug#1118491: Removed package(s) from unstable
Previous by thread: Bug#737382: marked as done (libtolua++5.1-dev: Please build new package with upstream changes)
Next by thread: Processing of pktstat_1.8.5-9_source.changes
Index(es):
- Date
- Thread