Fix embedded bytecode loader.

src/lj_bcread.c

@@ -80,6 +80,7 @@ static LJ_NOINLINE void bcread_fill(LexState *ls, MSize len, int need)
       ls->current = -1;  /* Only bad if we get called again. */
       break;
     }
+    if (size >= LJ_MAX_MEM - ls->sb.n) lj_err_mem(ls->L);
     if (ls->sb.n) {  /* Append to buffer. */
       MSize n = ls->sb.n + (MSize)size;
       bcread_resize(ls, n < len ? len : n);
@@ -467,7 +468,7 @@ GCproto *lj_bcread(LexState *ls)
     setprotoV(L, L->top, pt);
     incr_top(L);
   }
-  if ((int32_t)ls->n > 0 || L->top-1 != bcread_oldtop(L, ls))
+  if ((ls->n && !ls->endmark) || L->top-1 != bcread_oldtop(L, ls))
     bcread_error(ls, LJ_ERR_BCBAD);
   /* Pop off last prototype. */
   L->top--;

src/lj_lex.c

@@ -49,6 +49,10 @@ static int fillbuf(LexState *ls)
   size_t sz;
   const char *buf = ls->rfunc(ls->L, ls->rdata, &sz);
   if (buf == NULL || sz == 0) return END_OF_STREAM;
+  if (sz >= LJ_MAX_MEM) {
+    if (sz != ~(size_t)0) lj_err_mem(ls->L);
+    ls->endmark = 1;
+  }
   ls->n = (MSize)sz - 1;
   ls->p = buf;
   return char2int(*(ls->p++));
@@ -382,6 +386,7 @@ int lj_lex_setup(lua_State *L, LexState *ls)
   ls->lookahead = TK_eof;  /* No look-ahead token. */
   ls->linenumber = 1;
   ls->lastline = 1;
+  ls->endmark = 0;
   lj_str_resizebuf(ls->L, &ls->sb, LJ_MIN_SBUF);
   next(ls);  /* Read-ahead first char. */
   if (ls->current == 0xef && ls->n >= 2 && char2int(ls->p[0]) == 0xbb &&

src/lj_lex.h

@@ -72,6 +72,7 @@ typedef struct LexState {
   BCInsLine *bcstack;	/* Stack for bytecode instructions/line numbers. */
   MSize sizebcstack;	/* Size of bytecode stack. */
   uint32_t level;	/* Syntactical nesting level. */
+  int endmark;		/* Trust bytecode end marker, even if not at EOF. */
 } LexState;
 
 LJ_FUNC int lj_lex_setup(lua_State *L, LexState *ls);