commit 5ac3386888347cb4d9b3ffc6d5abd1a4cfc8d1c9
parent 6d182faab65f7634802904c489de6dabcb56830a
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 14 Feb 2008 14:02:46 -0200
bug: unpack with maximum indices may crash due to arithmetic overflow
Diffstat:
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/lbaselib.c b/lbaselib.c
@@ -1,5 +1,5 @@
/*
-** $Id: lbaselib.c,v 1.202 2008/01/03 17:07:59 roberto Exp roberto $
+** $Id: lbaselib.c,v 1.203 2008/02/11 19:14:52 roberto Exp roberto $
** Basic library
** See Copyright Notice in lua.h
*/
@@ -353,10 +353,12 @@ static int luaB_unpack (lua_State *L) {
luaL_checktype(L, 1, LUA_TTABLE);
i = luaL_optint(L, 2, 1);
e = luaL_opt(L, luaL_checkint, 3, (int)lua_objlen(L, 1));
+ if (i > e) return 0; /* empty range */
n = e - i + 1; /* number of elements */
- if (n <= 0) return 0; /* empty range */
- luaL_checkstack(L, n, "table too big to unpack");
- for (; i<=e; i++) /* push arg[i...e] */
+ if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
+ return luaL_error(L, "too many results to unpack");
+ lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */
+ while (i++ < e) /* push arg[i + 1...e] */
lua_rawgeti(L, 1, i);
return n;
}
