diff --git a/bugs b/bugs index 59af0765..5ad6f1c5 100644 --- a/bugs +++ b/bugs @@ -633,3 +633,39 @@ patch = [[ ]], } + + + +----------------------------------------------------------------- +-- Lua 5.0.2 + +Bug{ +what = [[string concatenation may cause arithmetic overflow, leading +to a buffer overflow]], + +report = [[Rici Lake, 20/05/2004]], + +example = [[ +longs = string.rep("\0", 2^25) +function catter(i) + return assert(loadstring( + string.format("return function(a) return a%s end", + string.rep("..a", i-1))))() +end +rep129 = catter(129) +rep129(longs) +]], + +patch = [[ +* lvm.c: +329c329,331 +< tl += tsvalue(top-n-1)->tsv.len; +--- +> size_t l = tsvalue(top-n-1)->tsv.len; +> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow"); +> tl += l; +332d333 +< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow"); +]] +} + diff --git a/lvm.c b/lvm.c index 44d77783..ffed66e3 100644 --- a/lvm.c +++ b/lvm.c @@ -1,5 +1,5 @@ /* -** $Id: lvm.c,v 2.7 2004/05/31 18:51:50 roberto Exp roberto $ +** $Id: lvm.c,v 2.8 2004/06/02 19:07:55 roberto Exp roberto $ ** Lua virtual machine ** See Copyright Notice in lua.h */ @@ -308,10 +308,11 @@ void luaV_concat (lua_State *L, int total, int last) { char *buffer; int i; while (n < total && tostring(L, top-n-1)) { /* collect total length */ - tl += tsvalue(top-n-1)->len; + size_t l = tsvalue(top-n-1)->len; + if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow"); + tl += l; n++; } - if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow"); buffer = luaZ_openspace(L, &G(L)->buff, tl); tl = 0; for (i=n; i>0; i--) { /* concat all strings */