From 2d6c3213aec9c62cfb668bbbf404ef3806c51c8f Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 28 Apr 2026 08:34:41 +0200
Subject: [PATCH] lua: enforce allocation limit on first alloc

Instead of just on re-alloc.

Ticket: #8507
---
 src/util-lua-sandbox.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c
index c81e5d5187..7e380128d4 100644
--- a/src/util-lua-sandbox.c
+++ b/src/util-lua-sandbox.c
@@ -64,6 +64,13 @@ static void *LuaAlloc(void *ud, void *ptr, size_t osize, size_t nsize)
         return NULL;
     } else if (ptr == NULL) {
         /* Allocating new data. */
+        if (ctx->alloc_limit != 0 && ctx->alloc_bytes + nsize > ctx->alloc_limit) {
+            /* This request will exceed the allocation limit. Act as
+             * though allocation failed. */
+            ctx->memory_limit_error = true;
+            return NULL;
+        }
+
         void *nptr = SCRealloc(ptr, nsize);
         if (nptr != NULL) {
             ctx->alloc_bytes += nsize;