From 2ea068de1b39fc6be2ac3c11f7219028f540e657 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 4 Jul 2025 17:00:31 -0400
Subject: [PATCH] _wplua_pcall: avoid Lua stack overflow

C code must ensure that the Lua stack does not overflow.  Ensure there
are enough slots for both the error handler and for the return values.
---
 modules/module-lua-scripting/wplua/wplua.c | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/modules/module-lua-scripting/wplua/wplua.c b/modules/module-lua-scripting/wplua/wplua.c
index 1b321036..9d39264b 100644
--- a/modules/module-lua-scripting/wplua/wplua.c
+++ b/modules/module-lua-scripting/wplua/wplua.c
@@ -70,9 +70,30 @@ _wplua_errhandler (lua_State *L)
 int
 _wplua_pcall (lua_State *L, int nargs, int nret)
 {
-  int hpos = lua_gettop (L) - nargs;
+  int slots = lua_gettop (L);
   int ret = LUA_OK;
+  /* 1 stack slot needed for error handler. */
+  int hpos, stack_slots = 1;
 
+  if (nargs < 0)
+    g_error ("negative number of arguments");
+  /* Need nargs + 1 stack slots for function and its arguments. */
+  if (slots <= nargs)
+    g_error ("not enough stack slots for arguments and function");
+  if (nret != LUA_MULTRET) {
+    if (nret - nargs > 1) {
+      /* Need more stack slots: 1 for the error handler and (nret - (nargs + 1))
+       * for the return values (after popping the function and its arguments). */
+      stack_slots = nret - nargs;
+    } else if (nret < 0)
+      g_error ("negative number of return values");
+  }
+  if (!lua_checkstack (L, stack_slots)) {
+    wp_critical ("_wplua_pcall: cannot grow Lua stack");
+    return LUA_ERRMEM;
+  }
+
+  hpos = slots - nargs;
   lua_pushcfunction (L, _wplua_errhandler);
   lua_insert (L, hpos);