lua

A copy of the Lua development repository
Log | Files | Refs | README

commit 5853c37a83ec66ccb45094f9aeac23dfdbcde671
parent 842a83f09caa2ebd4bc03e0076420148ac07c808
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date:   Thu, 21 Dec 2023 13:37:24 -0300

Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object
can overflow when we add the header.

Diffstat:
Mlstring.c | 2+-
Mlvm.c | 2+-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lstring.c b/lstring.c @@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) { return internshrstr(L, str, l); else { TString *ts; - if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char))) + if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString)))) luaM_toobig(L); ts = luaS_createlngstrobj(L, l); memcpy(getlngstr(ts), str, l * sizeof(char)); diff --git a/lvm.c b/lvm.c @@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) { /* collect total length and number of strings */ for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { size_t l = tsslen(tsvalue(s2v(top - n - 1))); - if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { + if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) { L->top.p = top - total; /* pop strings to avoid wasting stack */ luaG_runerror(L, "string length overflow"); }