bug: 'string.format("%f")' can cause a buffer overflow (with long doubles) bug: 'debug.getlocal' on a coroutine suspended in a hook can crash the interpreter - lua

commit d51bdc166d144b3d81b01e2b97a5420978528e01
parent 81245b1ad51c5f4a4dd71da272b65b2450929b80
Author: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date:   Fri, 20 Feb 2015 16:21:04 -0200

bug: 'string.format("%f")' can cause a buffer overflow (with long doubles)
bug: 'debug.getlocal' on a coroutine suspended in a hook can crash
the interpreter

Diffstat:
M bugs  | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--

1 file changed, 92 insertions(+), 2 deletions(-)
diff --git a/bugs b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
 +++ lundump.c   2008/04/04 19:51:41     2.7.1.4
 @@ -1,5 +1,5 @@
  /*
--** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
-+** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
+-** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
++** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
  ** load precompiled Lua chunks
  ** See Copyright Notice in lua.h
  */
@@ -3273,6 +3273,94 @@ patch = [[
 }
 
 
+-----------------------------------------------------------------
+-- Lua 5.3.0
+
+Bug{
+what = [['string.format("%f")' can cause a buffer overflow
+(only when 'lua_Number' is long double!)]],
+report = [[Roberto, 2015/01/13]],
+since = [[5.3]],
+fix = nil,
+example = [[string.format("%.99f", 1e4000)    -- when floats are long double]],
+patch = [[
+]]
+}
+
+Bug{
+what = [['debug.getlocal' on a coroutine suspended in a hook
+can crash the interpreter]],
+report = [[云风, 2015/02/11]],
+since = [[5.2]],
+fix = nil,
+example = [[see http://lua-users.org/lists/lua-l/2015-02/msg00146.html]],
+patch = [[
+--- ldebug.c	2015/01/02 12:52:22	2.110
++++ ldebug.c	2015/02/13 16:03:23
+@@ -1,4 +1,4 @@
+ /*
+-** $Id: ldebug.c,v 2.110 2015/01/02 12:52:22 roberto Exp $
++** $Id: ldebug.c,v 2.111 2015/02/13 16:01:17 roberto Exp $
+ ** Debug Interface
+ ** See Copyright Notice in lua.h
+@@ -49,4 +49,14 @@
+ 
+ 
++static void swapextra (lua_State *L) {
++  if (L->status == LUA_YIELD) {
++    CallInfo *ci = L->ci;  /* get function that yielded */
++    StkId temp = ci->func;  /* exchange its 'func' and 'extra' values */
++    ci->func = restorestack(L, ci->extra);
++    ci->extra = savestack(L, temp);
++  }
++}
++
++
+ /*
+ ** this function can be called asynchronous (e.g. during a signal)
+@@ -145,4 +155,5 @@
+   const char *name;
+   lua_lock(L);
++  swapextra(L);
+   if (ar == NULL) {  /* information about non-active function? */
+     if (!isLfunction(L->top - 1))  /* not a Lua function? */
+@@ -159,4 +170,5 @@
+     }
+   }
++  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -166,10 +178,13 @@
+ LUA_API const char *lua_setlocal (lua_State *L, const lua_Debug *ar, int n) {
+   StkId pos = 0;  /* to avoid warnings */
+-  const char *name = findlocal(L, ar->i_ci, n, &pos);
++  const char *name;
+   lua_lock(L);
++  swapextra(L);
++  name = findlocal(L, ar->i_ci, n, &pos);
+   if (name) {
+     setobjs2s(L, pos, L->top - 1);
+     L->top--;  /* pop value */
+   }
++  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -271,4 +286,5 @@
+   StkId func;
+   lua_lock(L);
++  swapextra(L);
+   if (*what == '>') {
+     ci = NULL;
+@@ -289,4 +305,5 @@
+     api_incr_top(L);
+   }
++  swapextra(L);
+   if (strchr(what, 'L'))
+     collectvalidlines(L, cl);
+]]
+}
+
+
 --[=[
 Bug{
 what = [[ ]],
@@ -3284,3 +3372,5 @@ patch = [[
 ]]
 }
 ]=]
+
+

	lua A copy of the Lua development repository
	Log \| Files \| Refs \| README