What is protecting Lua from buffer over-read?

Question

I've been looking through the Lua source code. I have figured out where the VM gets the next instruction. It's the first line of the vmfetch macro:

#define vmfetch()       { \
  i = *(ci->u.l.savedpc++); \
  if (L->hookmask & (LUA_MASKLINE | LUA_MASKCOUNT)) \
    Protect(luaG_traceexec(L)); \
  ra = RA(i); /* WARNING: any stack reallocation invalidates 'ra' */ \
  lua_assert(base == ci->u.l.base); \
  lua_assert(base <= L->top && L->top < L->stack + L->stacksize); \
}

However, I haven't been able to find any code in vmfetch or in luaV_execute that checks to see if ci->u.l.savedpc++ is actually a valid address. What is preventing Lua from accidentally executing data at some random address?

Answer 1

The protection is in the compilation phase. The byte-code generation, would not build a chunk without some termination in it.

Allowing your users to add compiled lua, without any "trust" is a vulnerability. Games such as WoW - which allow user lua, only accept source code, ensuring they have control over the compilation process.