File luajit-CVE-2024-25177.patch of Package luajit.40045

diff -urp luajit-2.1.0~beta3+git.1624618403.e9577376.orig/src/lj_snap.c luajit-2.1.0~beta3+git.1624618403.e9577376/src/lj_snap.c
--- luajit-2.1.0~beta3+git.1624618403.e9577376.orig/src/lj_snap.c	2021-06-25 05:53:23.000000000 -0500
+++ luajit-2.1.0~beta3+git.1624618403.e9577376/src/lj_snap.c	2025-08-05 16:47:24.252738908 -0500
@@ -419,6 +419,7 @@ static TRef snap_replay_const(jit_State
   case IR_KNUM: case IR_KINT64:
     return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64);
   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
+  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
   default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL;
   }
 }
@@ -846,9 +847,13 @@ static void snap_unsink(jit_State *J, GC
 	if (irk->o == IR_FREF) {
 	  lj_assertJ(irk->op2 == IRFL_TAB_META,
 		     "sunk store with bad field %d", irk->op2);
-	  snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
-	  /* NOBARRIER: The table is new (marked white). */
-	  setgcref(t->metatable, obj2gco(tabV(&tmp)));
+	  if (T->ir[irs->op2].o == IR_KNULL) {
+	    setgcrefnull(t->metatable);
+	  } else {
+	    snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+	    /* NOBARRIER: The table is new (marked white). */
+	    setgcref(t->metatable, obj2gco(tabV(&tmp)));
+	  }
 	} else {
 	  irk = &T->ir[irk->op2];
 	  if (irk->o == IR_KSLOT) irk = &T->ir[irk->op1];