From 3e353b54827c5f6bcd20089f281e710f84813532 Mon Sep 17 00:00:00 2001
From: pr-hung <bkedx0000@gmail.com>
Date: Wed, 11 Mar 2026 23:21:46 +0800
Subject: [PATCH] Fix potential vulnerability in cloned code
 (src/lua/src/lvm.c)

---
 src/lua/src/lvm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lua/src/lvm.c b/src/lua/src/lvm.c
index 08681af1b..10d07b67f 100644
--- a/src/lua/src/lvm.c
+++ b/src/lua/src/lvm.c
@@ -653,9 +653,11 @@ void luaV_concat (lua_State *L, int total) {
       TString *ts;
       /* collect total length and number of strings */
       for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
+        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
         size_t l = vslen(s2v(top - n - 1));
-        if (unlikely(l >= (MAX_SIZE/sizeof(char)) - tl))
+          L->top = top - total;  /* pop strings to avoid wasting stack */
           luaG_runerror(L, "string length overflow");
+        }
         tl += l;
       }
       if (tl <= LUAI_MAXSHORTLEN) {  /* is result a short string? */
@@ -669,8 +671,8 @@ void luaV_concat (lua_State *L, int total) {
       }
       setsvalue2s(L, top - n, ts);  /* create result */
     }
+    L->top = top - (n - 1);  /* popped 'n' strings and pushed one */
     total -= n-1;  /* got 'n' strings to create 1 new */
-    L->top -= n-1;  /* popped 'n' strings and pushed one */
   } while (total > 1);  /* repeat until only 1 result left */
 }