commit 271e05917f7782db2301e04923423b00994c75db
parent fe8c365281f0f23f24ea79357296b8b9c91b7fdb
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Tue, 17 Aug 2004 14:45:23 -0300
bug: lua_getupvalue and setupvalue do not check for index too small.
Diffstat:
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/bugs b/bugs
@@ -669,3 +669,24 @@ patch = [[
]]
}
+
+Bug{
+what = [[lua_getupvalue and setupvalue do not check for index too small]],
+
+report = [[Mike Pall, ?/2004]],
+
+example = [[debug.getupvalue(function() end, 0)]],
+
+patch = [[
+* lapi.c
+941c941
+< if (n > f->c.nupvalues) return NULL;
+---
+> if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
+947c947
+< if (n > p->sizeupvalues) return NULL;
+---
+> if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
+]]
+}
+
diff --git a/lapi.c b/lapi.c
@@ -1,5 +1,5 @@
/*
-** $Id: lapi.c,v 2.15 2004/08/10 19:17:23 roberto Exp roberto $
+** $Id: lapi.c,v 2.16 2004/08/12 17:02:51 roberto Exp roberto $
** Lua API
** See Copyright Notice in lua.h
*/
@@ -938,13 +938,13 @@ static const char *aux_upvalue (lua_State *L, StkId fi, int n, TValue **val) {
if (!ttisfunction(fi)) return NULL;
f = clvalue(fi);
if (f->c.isC) {
- if (n > f->c.nupvalues) return NULL;
+ if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
*val = &f->c.upvalue[n-1];
return "";
}
else {
Proto *p = f->l.p;
- if (n > p->sizeupvalues) return NULL;
+ if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
*val = f->l.upvals[n-1]->v;
return getstr(p->upvalues[n-1]);
}
