From 302366a33853b730f1b7eb61d792abc4f84f0caa Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sun, 10 Mar 2024 17:19:29 +0100
Subject: [PATCH] Check frame size limit before returning to a lower frame.

Thanks to Sergey Kaplun. #1173
---
 src/lj_record.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lj_record.c b/src/lj_record.c
index 0122105b..35e6d6e1 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -749,6 +749,8 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults)
       lj_trace_err(J, LJ_TRERR_LLEAVE);
     } else if (J->needsnap) {  /* Tailcalled to ff with side-effects. */
       lj_trace_err(J, LJ_TRERR_NYIRETL);  /* No way to insert snapshot here. */
+    } else if (1 + pt->framesize >= LJ_MAX_JSLOTS) {
+      lj_trace_err(J, LJ_TRERR_STACKOV);
     } else {  /* Return to lower frame. Guard for the target we return to. */
       TRef trpt = lj_ir_kgc(J, obj2gco(pt), IRT_PROTO);
       TRef trpc = lj_ir_kptr(J, (void *)frame_pc(frame));