bug: 'string.format("%f")' can cause a buffer overflow (with long doubles)

bug: 'debug.getlocal' on a coroutine suspended in a hook can crash the interpreter
2015-02-20 16:21:29 -02:00 · 2015-02-20 16:21:29 -02:00 · d51bdc166d
parent 81245b1ad5
commit d51bdc166d
1 changed files with 92 additions and 2 deletions
--- a/94
+++ b/94
@ -1880,8 +1880,8 @@ patch = [[
 +++ lundump.c   2008/04/04 19:51:41     2.7.1.4
@@ -1,5 +1,5 @@
 /*
-** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
-+** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
+-** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
+** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
 ** load precompiled Lua chunks
 ** See Copyright Notice in lua.h
 */
@ -3273,6 +3273,94 @@ patch = [[
 }


+-----------------------------------------------------------------
+-- Lua 5.3.0
+
+Bug{
+what = [['string.format("%f")' can cause a buffer overflow
+(only when 'lua_Number' is long double!)]],
+report = [[Roberto, 2015/01/13]],
+since = [[5.3]],
+fix = nil,
+example = [[string.format("%.99f", 1e4000)    -- when floats are long double]],
+patch = [[
+]]
+}
+
+Bug{
+what = [['debug.getlocal' on a coroutine suspended in a hook
+can crash the interpreter]],
+report = [[云风, 2015/02/11]],
+since = [[5.2]],
+fix = nil,
+example = [[see http://lua-users.org/lists/lua-l/2015-02/msg00146.html]],
+patch = [[
+--- ldebug.c	2015/01/02 12:52:22	2.110
+++ ldebug.c	2015/02/13 16:03:23
+@@ -1,4 +1,4 @@
+ /*
+-** $Id: ldebug.c,v 2.110 2015/01/02 12:52:22 roberto Exp $
+** $Id: ldebug.c,v 2.111 2015/02/13 16:01:17 roberto Exp $
+ ** Debug Interface
+ ** See Copyright Notice in lua.h
+@@ -49,4 +49,14 @@
+ 
+ 
+static void swapextra (lua_State *L) {
+  if (L->status == LUA_YIELD) {
+    CallInfo *ci = L->ci;  /* get function that yielded */
+    StkId temp = ci->func;  /* exchange its 'func' and 'extra' values */
+    ci->func = restorestack(L, ci->extra);
+    ci->extra = savestack(L, temp);
+  }
+}
+
+
+ /*
+ ** this function can be called asynchronous (e.g. during a signal)
+@@ -145,4 +155,5 @@
+   const char *name;
+   lua_lock(L);
+  swapextra(L);
+   if (ar == NULL) {  /* information about non-active function? */
+     if (!isLfunction(L->top - 1))  /* not a Lua function? */
+@@ -159,4 +170,5 @@
+     }
+   }
+  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -166,10 +178,13 @@
+ LUA_API const char *lua_setlocal (lua_State *L, const lua_Debug *ar, int n) {
+   StkId pos = 0;  /* to avoid warnings */
+-  const char *name = findlocal(L, ar->i_ci, n, &pos);
+  const char *name;
+   lua_lock(L);
+  swapextra(L);
+  name = findlocal(L, ar->i_ci, n, &pos);
+   if (name) {
+     setobjs2s(L, pos, L->top - 1);
+     L->top--;  /* pop value */
+   }
+  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -271,4 +286,5 @@
+   StkId func;
+   lua_lock(L);
+  swapextra(L);
+   if (*what == '>') {
+     ci = NULL;
+@@ -289,4 +305,5 @@
+     api_incr_top(L);
+   }
+  swapextra(L);
+   if (strchr(what, 'L'))
+     collectvalidlines(L, cl);
+]]
+}
+
+
 --[=[
 Bug{
 what = [[ ]],
@ -3284,3 +3372,5 @@ patch = [[
 ]]
 }
 ]=]
+
+