commit 9b854e6dbcf569113f68e63d87644b69eb00a228
parent 2b2d8ecd7aba6cc7604532c53372db01a30618d3
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Tue, 8 Jun 2004 13:23:36 -0300
BUG: string concatenation may cause arithmetic overflow, leading
to a buffer overflow.
Diffstat:
| M | bugs | | | 36 | ++++++++++++++++++++++++++++++++++++ |
| M | lvm.c | | | 7 | ++++--- |
2 files changed, 40 insertions(+), 3 deletions(-)
diff --git a/bugs b/bugs
@@ -633,3 +633,39 @@ patch = [[
]],
}
+
+
+
+-----------------------------------------------------------------
+-- Lua 5.0.2
+
+Bug{
+what = [[string concatenation may cause arithmetic overflow, leading
+to a buffer overflow]],
+
+report = [[Rici Lake, 20/05/2004]],
+
+example = [[
+longs = string.rep("\0", 2^25)
+function catter(i)
+ return assert(loadstring(
+ string.format("return function(a) return a%s end",
+ string.rep("..a", i-1))))()
+end
+rep129 = catter(129)
+rep129(longs)
+]],
+
+patch = [[
+* lvm.c:
+329c329,331
+< tl += tsvalue(top-n-1)->tsv.len;
+---
+> size_t l = tsvalue(top-n-1)->tsv.len;
+> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+> tl += l;
+332d333
+< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+]]
+}
+
diff --git a/lvm.c b/lvm.c
@@ -1,5 +1,5 @@
/*
-** $Id: lvm.c,v 2.7 2004/05/31 18:51:50 roberto Exp roberto $
+** $Id: lvm.c,v 2.8 2004/06/02 19:07:55 roberto Exp roberto $
** Lua virtual machine
** See Copyright Notice in lua.h
*/
@@ -308,10 +308,11 @@ void luaV_concat (lua_State *L, int total, int last) {
char *buffer;
int i;
while (n < total && tostring(L, top-n-1)) { /* collect total length */
- tl += tsvalue(top-n-1)->len;
+ size_t l = tsvalue(top-n-1)->len;
+ if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+ tl += l;
n++;
}
- if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
buffer = luaZ_openspace(L, &G(L)->buff, tl);
tl = 0;
for (i=n; i>0; i--) { /* concat all strings */
