From 1f2df26e229225a50e211f77fddddd9c7d0397ad Mon Sep 17 00:00:00 2001
From: Vicki Pfau <vi@endrift.com>
Date: Tue, 31 Jan 2023 17:19:01 -0800
Subject: [PATCH] Script: Fix table string key UAF

---
 src/script/engines/lua.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/script/engines/lua.c b/src/script/engines/lua.c
index 601e96b4d..bcd9e230d 100644
--- a/src/script/engines/lua.c
+++ b/src/script/engines/lua.c
@@ -584,7 +584,11 @@ struct mScriptValue* _luaCoerceTable(struct mScriptEngineContextLua* luaContext)
 			return false;
 		}
 		mScriptTableInsert(table, key, value);
-		mScriptValueDeref(key);
+		if (key->type != mSCRIPT_TYPE_MS_STR) {
+			// Strings are added to the ref pool, so we need to keep it
+			// ref'd to prevent it from being collected prematurely
+			mScriptValueDeref(key);
+		}
 		mScriptValueDeref(value);
 	}
 	lua_pop(luaContext->lua, 1);