From 64066359dda2a0920d307e901185faf78cc32b97 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Mon, 25 Aug 2003 16:49:47 -0300
Subject: [PATCH] bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may
 generate up to 60 characters in a `printf'. That causes a buffer overflow in
 `tostring'..

---
 lbaselib.c | 39 +++++++++++++++++++++++----------------
 liolib.c   |  4 ++--
 2 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/lbaselib.c b/lbaselib.c
index 4c761bbf..fd5c7428 100644
--- a/lbaselib.c
+++ b/lbaselib.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $
+** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
 ** Basic library
 ** See Copyright Notice in lua.h
 */
@@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {
 
 
 static int luaB_tostring (lua_State *L) {
-  char buff[64];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
+  const char *tn = "";
+  const void *p = NULL;
   luaL_checkany(L, 1);
   if (luaL_callmeta(L, 1, "__tostring"))  /* is there a metafield? */
     return 1;  /* use its value */
@@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
     case LUA_TBOOLEAN:
       lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
       return 1;
-    case LUA_TTABLE:
-      sprintf(buff, "table: %p", lua_topointer(L, 1));
-      break;
-    case LUA_TFUNCTION:
-      sprintf(buff, "function: %p", lua_topointer(L, 1));
-      break;
-    case LUA_TUSERDATA:
-    case LUA_TLIGHTUSERDATA:
-      sprintf(buff, "userdata: %p", lua_touserdata(L, 1));
-      break;
-    case LUA_TTHREAD:
-      sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1));
-      break;
     case LUA_TNIL:
       lua_pushliteral(L, "nil");
       return 1;
+    case LUA_TTABLE:
+      p = lua_topointer(L, 1);
+      tn = "table";
+      break;
+    case LUA_TFUNCTION:
+      p = lua_topointer(L, 1);
+      tn = "function";
+      break;
+    case LUA_TUSERDATA:
+    case LUA_TLIGHTUSERDATA:
+      p = lua_touserdata(L, 1);
+      tn = "userdata";
+      break;
+    case LUA_TTHREAD:
+      p = lua_tothread(L, 1);
+      tn = "thread";
+      break;
   }
-  lua_pushstring(L, buff);
+  sprintf(buff, "%p", p);
+  lua_pushfstring(L, "%s: %s", tn, buff);
   return 1;
 }
 
diff --git a/liolib.c b/liolib.c
index 45dc6cb3..112a1fce 100644
--- a/liolib.c
+++ b/liolib.c
@@ -1,5 +1,5 @@
 /*
-** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $
+** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
 ** Standard I/O (and system) library
 ** See Copyright Notice in lua.h
 */
@@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {
 
 
 static int io_tostring (lua_State *L) {
-  char buff[32];
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
   FILE **f = topfile(L, 1);
   if (*f == NULL)
     strcpy(buff, "closed");