From 138af0a74c83e7b944e378faa5f9b1073463b03a Mon Sep 17 00:00:00 2001
From: "G.Grandes" <guillermo.grandes@gmail.com>
Date: Sat, 22 Feb 2025 00:21:24 +0100
Subject: [PATCH 1/2] Fix OutOfMemory bugzilla#69590

Proposed patch to resolve OutOfMemory, in local testing it has worked correctly.
https://bz.apache.org/bugzilla/show_bug.cgi?id=69590
---
 modules/lua/mod_lua.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
index ed5c839fe9a..8fc1c6c6c9d 100644
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -498,6 +498,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
                     APR_BRIGADE_INSERT_TAIL(ctx->tmpBucket, pbktOut);
                     rv = ap_pass_brigade(f->next, ctx->tmpBucket);
                     apr_brigade_cleanup(ctx->tmpBucket);
+                    apr_bucket_delete(pbktIn);
                     if (rv != APR_SUCCESS) {
                         return rv;
                     }

From aeae338afa2fbde396ffaf591f3d6146034f4560 Mon Sep 17 00:00:00 2001
From: "G.Grandes" <guillermo.grandes@gmail.com>
Date: Mon, 24 Feb 2025 20:57:17 +0100
Subject: [PATCH 2/2] FIX: mod_lua: OutOfMemory in LuaOutputFilter (with LARGE
 data) bugzilla#69590

Fixed proposal patch to resolve OutOfMemory and use-after-free. In local testing it has worked correctly.
https://bz.apache.org/bugzilla/show_bug.cgi?id=69590
---
 modules/lua/mod_lua.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
index 8fc1c6c6c9d..7d5d14ddcf1 100644
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -473,10 +473,12 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
     L = ctx->L;
     /* While the Lua function is still yielding, pass in buckets to the coroutine */
     if (!ctx->broken) {
-        for (pbktIn = APR_BRIGADE_FIRST(pbbIn);
-            pbktIn != APR_BRIGADE_SENTINEL(pbbIn);
-            pbktIn = APR_BUCKET_NEXT(pbktIn))
+        while (!APR_BRIGADE_EMPTY(pbbIn))
             {
+            pbktIn = APR_BRIGADE_FIRST(pbbIn);
+            if (APR_BUCKET_IS_EOS(pbktIn)) {
+                break;
+            }
             const char *data;
             apr_size_t len;
             apr_bucket *pbktOut;
@@ -498,7 +500,6 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
                     APR_BRIGADE_INSERT_TAIL(ctx->tmpBucket, pbktOut);
                     rv = ap_pass_brigade(f->next, ctx->tmpBucket);
                     apr_brigade_cleanup(ctx->tmpBucket);
-                    apr_bucket_delete(pbktIn);
                     if (rv != APR_SUCCESS) {
                         return rv;
                     }
@@ -515,6 +516,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
                               lua_tostring(L, -1));
                 return HTTP_INTERNAL_SERVER_ERROR;
             }
+            apr_bucket_delete(pbktIn);
         }
         /* If we've safely reached the end, do a final call to Lua to allow for any 
         finishing moves by the script, such as appending a tail. */