From 59079b911d0b2ae1f7351d9c01584d5a4e2dc355 Mon Sep 17 00:00:00 2001
From: KIMDONGYEON00 <dongyeonkim2000@gmail.com>
Date: Mon, 20 Oct 2025 19:02:04 +0900
Subject: [PATCH 1/3] Fix lua UAF (CVE-2025-49844) - Redishell

---
 extern/redis-3.2.11/deps/lua/src/lparser.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/extern/redis-3.2.11/deps/lua/src/lparser.c b/extern/redis-3.2.11/deps/lua/src/lparser.c
index dda7488dc..ee7d90c90 100644
--- a/extern/redis-3.2.11/deps/lua/src/lparser.c
+++ b/extern/redis-3.2.11/deps/lua/src/lparser.c
@@ -384,13 +384,17 @@ Proto *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff, const char *name) {
   struct LexState lexstate;
   struct FuncState funcstate;
   lexstate.buff = buff;
-  luaX_setinput(L, &lexstate, z, luaS_new(L, name));
+  TString *tname = luaS_new(L, name);
+  setsvalue2s(L, L->top, tname);
+  incr_top(L);
+  luaX_setinput(L, &lexstate, z, tname);
   open_func(&lexstate, &funcstate);
   funcstate.f->is_vararg = VARARG_ISVARARG;  /* main func. is always vararg */
   luaX_next(&lexstate);  /* read first token */
   chunk(&lexstate);
   check(&lexstate, TK_EOS);
   close_func(&lexstate);
+  --L->top;
   lua_assert(funcstate.prev == NULL);
   lua_assert(funcstate.f->nups == 0);
   lua_assert(lexstate.fs == NULL);

From 015203786c448e98ca833b39022906544840e8ad Mon Sep 17 00:00:00 2001
From: KIMDONGYEON00 <dongyeonkim2000@gmail.com>
Date: Mon, 20 Oct 2025 19:02:36 +0900
Subject: [PATCH 2/3] Fix lua bit.tohex (CVE-2024-31449)

---
 extern/redis-3.2.11/deps/lua/src/lua_bit.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extern/redis-3.2.11/deps/lua/src/lua_bit.c b/extern/redis-3.2.11/deps/lua/src/lua_bit.c
index 690df7d3c..a459ca98b 100644
--- a/extern/redis-3.2.11/deps/lua/src/lua_bit.c
+++ b/extern/redis-3.2.11/deps/lua/src/lua_bit.c
@@ -131,6 +131,7 @@ static int bit_tohex(lua_State *L)
   const char *hexdigits = "0123456789abcdef";
   char buf[8];
   int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
   if (n > 8) n = 8;
   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }

From 9f829b12ed18151d85e73d410b21a820f61fbfe7 Mon Sep 17 00:00:00 2001
From: KIMDONGYEON00 <dongyeonkim2000@gmail.com>
Date: Mon, 20 Oct 2025 19:05:03 +0900
Subject: [PATCH 3/3] Added lua bit.tohex bug test (CVE-2024-31449)

---
 extern/redis-3.2.11/tests/unit/scripting.tcl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/extern/redis-3.2.11/tests/unit/scripting.tcl b/extern/redis-3.2.11/tests/unit/scripting.tcl
index 68e136fd6..560bc2a8a 100644
--- a/extern/redis-3.2.11/tests/unit/scripting.tcl
+++ b/extern/redis-3.2.11/tests/unit/scripting.tcl
@@ -337,6 +337,12 @@ start_server {tags {"scripting"}} {
         set e
     } {*ERR*attempted to create global*}
 
+    test {lua bit.tohex bug} {
+        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
     test {Test an example script DECR_IF_GT} {
         set decr_if_gt {
             local current