bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate

up to 60 characters in a `printf'. That causes a buffer overflow in `tostring'..
2003-08-25 16:49:47 -03:00 · 2003-08-25 16:49:47 -03:00 · 64066359dd
parent 97af24ea32
commit 64066359dd
2 changed files with 25 additions and 18 deletions
--- a/lbaselib.c
+++ b/lbaselib.c
@ -1,5 +1,5 @@
 /*
-** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $
+** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
 ** Basic library
 ** See Copyright Notice in lua.h
 */
@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {


 static int luaB_tostring (lua_State *L) {
-  char buff[64];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
+  const char *tn = "";
+  const void *p = NULL;
  luaL_checkany(L, 1);
  if (luaL_callmeta(L, 1, "__tostring"))  /* is there a metafield? */
    return 1;  /* use its value */
@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
    case LUA_TBOOLEAN:
      lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
      return 1;
-    case LUA_TTABLE:
-      sprintf(buff, "table: %p", lua_topointer(L, 1));
-      break;
-    case LUA_TFUNCTION:
-      sprintf(buff, "function: %p", lua_topointer(L, 1));
-      break;
-    case LUA_TUSERDATA:
-    case LUA_TLIGHTUSERDATA:
-      sprintf(buff, "userdata: %p", lua_touserdata(L, 1));
-      break;
-    case LUA_TTHREAD:
-      sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1));
-      break;
    case LUA_TNIL:
      lua_pushliteral(L, "nil");
      return 1;
+    case LUA_TTABLE:
+      p = lua_topointer(L, 1);
+      tn = "table";
+      break;
+    case LUA_TFUNCTION:
+      p = lua_topointer(L, 1);
+      tn = "function";
+      break;
+    case LUA_TUSERDATA:
+    case LUA_TLIGHTUSERDATA:
+      p = lua_touserdata(L, 1);
+      tn = "userdata";
+      break;
+    case LUA_TTHREAD:
+      p = lua_tothread(L, 1);
+      tn = "thread";
+      break;
  }
-  lua_pushstring(L, buff);
+  sprintf(buff, "%p", p);
+  lua_pushfstring(L, "%s: %s", tn, buff);
  return 1;
 }

--- a/liolib.c
+++ b/liolib.c
@ -1,5 +1,5 @@
 /*
-** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $
+** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
 ** Standard I/O (and system) library
 ** See Copyright Notice in lua.h
 */
@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {


 static int io_tostring (lua_State *L) {
-  char buff[32];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
  FILE **f = topfile(L, 1);
  if (*f == NULL)
    strcpy(buff, "closed");