commit cfd7bc478f21494c254a8ed514271dbe655721b0
parent 737ec947d3f33e73e587f7020dba40b1818ac64d
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Wed, 3 Nov 2004 10:22:17 -0200
better patch for buffer overflow error
Diffstat:
M | bugs | | | 30 | ++++++++++++++++++++++-------- |
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/bugs b/bugs
@@ -658,14 +658,28 @@ rep129(longs)
patch = [[
* lvm.c:
-329c329,331
-< tl += tsvalue(top-n-1)->tsv.len;
----
-> size_t l = tsvalue(top-n-1)->tsv.len;
-> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
-> tl += l;
-332d333
-< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+@@ -321,15 +321,15 @@
+ luaG_concaterror(L, top-2, top-1);
+ } else if (tsvalue(top-1)->tsv.len > 0) { /* if len=0, do nothing */
+ /* at least two string values; get as many as possible */
+- lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
+- cast(lu_mem, tsvalue(top-2)->tsv.len);
++ size_t tl = tsvalue(top-1)->tsv.len;
+ char *buffer;
+ int i;
+- while (n < total && tostring(L, top-n-1)) { /* collect total length */
+- tl += tsvalue(top-n-1)->tsv.len;
+- n++;
++ /* collect total length */
++ for (n = 1; n < total && tostring(L, top-n-1); n++) {
++ size_t l = tsvalue(top-n-1)->tsv.len;
++ if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
++ tl += l;
+ }
+- if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+ buffer = luaZ_openspace(L, &G(L)->buff, tl);
+ tl = 0;
+ for (i=n; i>0; i--) { /* concat all strings */
]]
}