# 
# old_revision [44753df5f45d3e06dab3f8c822ba86dc70a0068a]
# 
# patch "lua/lapi.c"
#  from [aab0780b5a32d4545a0771d6524034c7010ac84a]
#    to [91b86646ed16df452851b6831d6e614a18ada6f8]
# 
# patch "lua/lgc.c"
#  from [88ba8787c48bd5e9d7a255b50e7ff587ca740f18]
#    to [da25605c036b7bee649696d0f2df449d5c8ff8cf]
# 
# patch "lua/lvm.c"
#  from [a7ba54085b2d7755938c1db9c57e2fecab3058b1]
#    to [b3b742dd83254cb68fdd3010af2dae9fc74c52c1]
# 
============================================================
--- lua/lapi.c	aab0780b5a32d4545a0771d6524034c7010ac84a
+++ lua/lapi.c	91b86646ed16df452851b6831d6e614a18ada6f8
@@ -879,13 +879,13 @@
   if (!ttisfunction(fi)) return NULL;
   f = clvalue(fi);
   if (f->c.isC) {
-    if (n > f->c.nupvalues) return NULL;
+    if (!(l <= n && n <= f->c.nupvalues)) return NULL;
     *val = &f->c.upvalue[n-1];
     return "";
   }
   else {
     Proto *p = f->l.p;
-    if (n > p->sizeupvalues) return NULL;
+    if (!(l <= n && n <= p->sizeupvalues)) return NULL;
     *val = f->l.upvals[n-1]->v;
     return getstr(p->upvalues[n-1]);
   }
============================================================
--- lua/lgc.c	88ba8787c48bd5e9d7a255b50e7ff587ca740f18
+++ lua/lgc.c	da25605c036b7bee649696d0f2df449d5c8ff8cf
@@ -218,10 +218,8 @@
     markvalue(st, cl->l.p);
     for (i=0; i<cl->l.nupvalues; i++) {  /* mark its upvalues */
       UpVal *u = cl->l.upvals[i];
-      if (!u->marked) {
-        markobject(st, &u->value);
-        u->marked = 1;
-      }
+      markobject(st, u->v);
+      u->marked = 1;
     }
   }
 }
============================================================
--- lua/lvm.c	a7ba54085b2d7755938c1db9c57e2fecab3058b1
+++ lua/lvm.c	b3b742dd83254cb68fdd3010af2dae9fc74c52c1
@@ -321,15 +321,15 @@
         luaG_concaterror(L, top-2, top-1);
     } else if (tsvalue(top-1)->tsv.len > 0) {  /* if len=0, do nothing */
       /* at least two string values; get as many as possible */
-      lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
-                  cast(lu_mem, tsvalue(top-2)->tsv.len);
+      size_t tl = tsvalue(top-1)->tsv.len;
       char *buffer;
       int i;
-      while (n < total && tostring(L, top-n-1)) {  /* collect total length */
-        tl += tsvalue(top-n-1)->tsv.len;
-        n++;
+      /* collect total length */
+      for (n = 1; n < total && tostring(L, top-n-1); n++) {
+        size_t l = tsvalue(top-n-1)->tsv.len;
+	if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+	tl += l;
       }
-      if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
       buffer = luaZ_openspace(L, &G(L)->buff, tl);
       tl = 0;
       for (i=n; i>0; i--) {  /* concat all strings */