Browse Source

BUG: string concatenation may cause arithmetic overflow, leading

to a buffer overflow.
v5-2
Roberto Ierusalimschy 21 years ago
parent
commit
9b854e6dbc
  1. 36
      bugs
  2. 7
      lvm.c

36
bugs

@ -633,3 +633,39 @@ patch = [[
]],
}
-----------------------------------------------------------------
-- Lua 5.0.2
Bug{
what = [[string concatenation may cause arithmetic overflow, leading
to a buffer overflow]],
report = [[Rici Lake, 20/05/2004]],
example = [[
longs = string.rep("\0", 2^25)
function catter(i)
return assert(loadstring(
string.format("return function(a) return a%s end",
string.rep("..a", i-1))))()
end
rep129 = catter(129)
rep129(longs)
]],
patch = [[
* lvm.c:
329c329,331
< tl += tsvalue(top-n-1)->tsv.len;
---
> size_t l = tsvalue(top-n-1)->tsv.len;
> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
> tl += l;
332d333
< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
]]
}

7
lvm.c

@ -1,5 +1,5 @@
/*
** $Id: lvm.c,v 2.7 2004/05/31 18:51:50 roberto Exp roberto $
** $Id: lvm.c,v 2.8 2004/06/02 19:07:55 roberto Exp roberto $
** Lua virtual machine
** See Copyright Notice in lua.h
*/
@ -308,10 +308,11 @@ void luaV_concat (lua_State *L, int total, int last) {
char *buffer;
int i;
while (n < total && tostring(L, top-n-1)) { /* collect total length */
tl += tsvalue(top-n-1)->len;
size_t l = tsvalue(top-n-1)->len;
if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
tl += l;
n++;
}
if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
buffer = luaZ_openspace(L, &G(L)->buff, tl);
tl = 0;
for (i=n; i>0; i--) { /* concat all strings */

Loading…
Cancel
Save