commit 5853c37a83ec66ccb45094f9aeac23dfdbcde671
parent 842a83f09caa2ebd4bc03e0076420148ac07c808
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 21 Dec 2023 13:37:24 -0300
Bug: Buffer overflow in string concatenation
Even if the string fits in size_t, the whole size of the TString object
can overflow when we add the header.
Diffstat:
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lstring.c b/lstring.c
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
return internshrstr(L, str, l);
else {
TString *ts;
- if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))
+ if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
luaM_toobig(L);
ts = luaS_createlngstrobj(L, l);
memcpy(getlngstr(ts), str, l * sizeof(char));
diff --git a/lvm.c b/lvm.c
@@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
/* collect total length and number of strings */
for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
size_t l = tsslen(tsvalue(s2v(top - n - 1)));
- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+ if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
L->top.p = top - total; /* pop strings to avoid wasting stack */
luaG_runerror(L, "string length overflow");
}