fix: use-after-free in Lua garbage collection of shared objects (#3553)

dudantas · web-flow · commit af93ae0c7aef · 2025-07-08T06:59:19.000-03:00
This fixes a critical use-after-free issue caused by the premature
destruction of SharedObject instances managed via std::shared_ptr during
Lua’s __gc finalization.

Previously, the luaGarbageCollection function called reset() directly on
the shared pointer, which could destroy the underlying object while it
was still in use by C++ code — potentially leading to heap corruption
and runtime crashes.
diff --git a/src/lua/functions/lua_functions_loader.cpp b/src/lua/functions/lua_functions_loader.cpp
@@ -810,7 +810,7 @@ void Lua::registerSharedClass(lua_State* L, const std::string &className, const
 int Lua::luaGarbageCollection(lua_State* L) {
 	const auto objPtr = static_cast<std::shared_ptr<SharedObject>*>(lua_touserdata(L, 1));
 	if (objPtr) {
-		objPtr->reset();
+		objPtr->~shared_ptr<SharedObject>();
 	}
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -810,7 +810,7 @@ void Lua::registerSharedClass(lua_State* L, const std::string &className, const`
`810`	`810`	`int Lua::luaGarbageCollection(lua_State* L) {`
`811`	`811`	`const auto objPtr = static_cast<std::shared_ptr<SharedObject>*>(lua_touserdata(L, 1));`
`812`	`812`	`if (objPtr) {`
`813`		`- objPtr->reset();`
	`813`	`+ objPtr->~shared_ptr<SharedObject>();`
`814`	`814`	`}`
`815`	`815`	`return 0;`
`816`	`816`	`}`