Patch to fix the issue
The underlying cause in bug 49649 is a buffer overflow in malloced memory in the luasandbox PHP extension. In Lua's C API, the caller is responsible for calling lua_checkstack to expand the Lua's stack as necessary before pushing onto it, and the various lua_push* functions apparently don't do any checking unless you compile with certain debug options activated. The lua_checkstack call isn't being done when processing arguments when calling from PHP to Lua or when returning values from PHP to Lua, so if the existing Lua stack isn't big enough (default is space for 20 values unless some other call already made Lua allocate a bigger stack) it will overflow into the next data structure on the heap.
FYI, an easier reproduction in Scribunto than the one given in bug 49649 is the one liner mw.ustring.codepoint( string.rep( 'x', 1000 ), 1, -1); the limit on the 1000 depends on whether anything else has already increased the Lua stack size. An even simpler (but longer) one-liner is to replace the string.rep call with a literal string of sufficient length. It can also be reproduced from the command line, see the tests in the attached patch.
Deployment process is apparently to update the changelog then have someone with appropriate access (Ops?) run the wmf-build script that's in the mediawiki/php/luasandbox repo. Tim usually does all that, of course, but he's on vacation this week.
Version: unspecified
Severity: normal
attachment patch ignored as obsolete