lua

A copy of the Lua development repository
Log | Files | Refs | README
commit 64066359dda2a0920d307e901185faf78cc32b97
parent 97af24ea3246dca0258ba7089cf2df7ac2080560
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date:   Mon, 25 Aug 2003 16:49:25 -0300

bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate
up to 60 characters in a `printf'. That causes a buffer overflow in
`tostring'..

Diffstat:

Mlbaselib.c | 27+++++++++++++++++----------


Mliolib.c | 4++--


2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/lbaselib.c b/lbaselib.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $
+** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
 ** Basic library
 ** See Copyright Notice in lua.h
 */
@@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {
 
 
 static int luaB_tostring (lua_State *L) {
-  char buff[64];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
+  const char *tn = "";
+  const void *p = NULL;
   luaL_checkany(L, 1);
   if (luaL_callmeta(L, 1, "__tostring"))  /* is there a metafield? */
     return 1;  /* use its value */
@@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
     case LUA_TBOOLEAN:
       lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
       return 1;
+    case LUA_TNIL:
+      lua_pushliteral(L, "nil");
+      return 1;
     case LUA_TTABLE:
-      sprintf(buff, "table: %p", lua_topointer(L, 1));
+      p = lua_topointer(L, 1);
+      tn = "table";
       break;
     case LUA_TFUNCTION:
-      sprintf(buff, "function: %p", lua_topointer(L, 1));
+      p = lua_topointer(L, 1);
+      tn = "function";
       break;
     case LUA_TUSERDATA:
     case LUA_TLIGHTUSERDATA:
-      sprintf(buff, "userdata: %p", lua_touserdata(L, 1));
+      p = lua_touserdata(L, 1);
+      tn = "userdata";
       break;
     case LUA_TTHREAD:
-      sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1));
+      p = lua_tothread(L, 1);
+      tn = "thread";
       break;
-    case LUA_TNIL:
-      lua_pushliteral(L, "nil");
-      return 1;
   }
-  lua_pushstring(L, buff);
+  sprintf(buff, "%p", p);
+  lua_pushfstring(L, "%s: %s", tn, buff);
   return 1;
 }
 
diff --git a/liolib.c b/liolib.c
@@ -1,5 +1,5 @@
 /*
-** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $
+** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
 ** Standard I/O (and system) library
 ** See Copyright Notice in lua.h
 */
@@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {
 
 
 static int io_tostring (lua_State *L) {
-  char buff[32];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
   FILE **f = topfile(L, 1);
   if (*f == NULL)
     strcpy(buff, "closed");