From 271e05917f7782db2301e04923423b00994c75db Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Tue, 17 Aug 2004 14:45:45 -0300
Subject: [PATCH] bug: lua_getupvalue and setupvalue do not check for index too
 small.

---
 bugs   | 21 +++++++++++++++++++++
 lapi.c |  6 +++---
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/bugs b/bugs
index 5ad6f1c5..2efc9aba 100644
--- a/bugs
+++ b/bugs
@@ -669,3 +669,24 @@ patch = [[
 ]]
 }
 
+
+Bug{
+what = [[lua_getupvalue and setupvalue do not check for index too small]],
+
+report = [[Mike Pall, ?/2004]],
+
+example = [[debug.getupvalue(function() end, 0)]],
+
+patch = [[
+* lapi.c
+941c941
+<     if (n > f->c.nupvalues) return NULL;
+---
+>     if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
+947c947
+<     if (n > p->sizeupvalues) return NULL;
+---
+>     if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
+]]
+}
+
diff --git a/lapi.c b/lapi.c
index 985eb3ce..83fe3f40 100644
--- a/lapi.c
+++ b/lapi.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lapi.c,v 2.15 2004/08/10 19:17:23 roberto Exp roberto $
+** $Id: lapi.c,v 2.16 2004/08/12 17:02:51 roberto Exp roberto $
 ** Lua API
 ** See Copyright Notice in lua.h
 */
@@ -938,13 +938,13 @@ static const char *aux_upvalue (lua_State *L, StkId fi, int n, TValue **val) {
   if (!ttisfunction(fi)) return NULL;
   f = clvalue(fi);
   if (f->c.isC) {
-    if (n > f->c.nupvalues) return NULL;
+    if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
     *val = &f->c.upvalue[n-1];
     return "";
   }
   else {
     Proto *p = f->l.p;
-    if (n > p->sizeupvalues) return NULL;
+    if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
     *val = f->l.upvals[n-1]->v;
     return getstr(p->upvalues[n-1]);
   }