From d51bdc166d144b3d81b01e2b97a5420978528e01 Mon Sep 17 00:00:00 2001 From: Roberto Ierusalimschy Date: Fri, 20 Feb 2015 16:21:29 -0200 Subject: [PATCH] bug: 'string.format("%f")' can cause a buffer overflow (with long doubles) bug: 'debug.getlocal' on a coroutine suspended in a hook can crash the interpreter --- bugs | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 92 insertions(+), 2 deletions(-) diff --git a/bugs b/bugs index 0d0c3b25..ecf93183 100644 --- a/bugs +++ b/bugs @@ -1880,8 +1880,8 @@ patch = [[ +++ lundump.c 2008/04/04 19:51:41 2.7.1.4 @@ -1,5 +1,5 @@ /* --** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $ -+** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $ +-** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $ ++** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $ ** load precompiled Lua chunks ** See Copyright Notice in lua.h */ @@ -3273,6 +3273,94 @@ patch = [[ } +----------------------------------------------------------------- +-- Lua 5.3.0 + +Bug{ +what = [['string.format("%f")' can cause a buffer overflow +(only when 'lua_Number' is long double!)]], +report = [[Roberto, 2015/01/13]], +since = [[5.3]], +fix = nil, +example = [[string.format("%.99f", 1e4000) -- when floats are long double]], +patch = [[ +]] +} + +Bug{ +what = [['debug.getlocal' on a coroutine suspended in a hook +can crash the interpreter]], +report = [[云风, 2015/02/11]], +since = [[5.2]], +fix = nil, +example = [[see http://lua-users.org/lists/lua-l/2015-02/msg00146.html]], +patch = [[ +--- ldebug.c 2015/01/02 12:52:22 2.110 ++++ ldebug.c 2015/02/13 16:03:23 +@@ -1,4 +1,4 @@ + /* +-** $Id: ldebug.c,v 2.110 2015/01/02 12:52:22 roberto Exp $ ++** $Id: ldebug.c,v 2.111 2015/02/13 16:01:17 roberto Exp $ + ** Debug Interface + ** See Copyright Notice in lua.h +@@ -49,4 +49,14 @@ + + ++static void swapextra (lua_State *L) { ++ if (L->status == LUA_YIELD) { ++ CallInfo *ci = L->ci; /* get function that yielded */ ++ StkId temp = ci->func; /* exchange its 'func' and 'extra' values */ ++ ci->func = restorestack(L, ci->extra); ++ ci->extra = savestack(L, temp); ++ } ++} ++ ++ + /* + ** this function can be called asynchronous (e.g. during a signal) +@@ -145,4 +155,5 @@ + const char *name; + lua_lock(L); ++ swapextra(L); + if (ar == NULL) { /* information about non-active function? */ + if (!isLfunction(L->top - 1)) /* not a Lua function? */ +@@ -159,4 +170,5 @@ + } + } ++ swapextra(L); + lua_unlock(L); + return name; +@@ -166,10 +178,13 @@ + LUA_API const char *lua_setlocal (lua_State *L, const lua_Debug *ar, int n) { + StkId pos = 0; /* to avoid warnings */ +- const char *name = findlocal(L, ar->i_ci, n, &pos); ++ const char *name; + lua_lock(L); ++ swapextra(L); ++ name = findlocal(L, ar->i_ci, n, &pos); + if (name) { + setobjs2s(L, pos, L->top - 1); + L->top--; /* pop value */ + } ++ swapextra(L); + lua_unlock(L); + return name; +@@ -271,4 +286,5 @@ + StkId func; + lua_lock(L); ++ swapextra(L); + if (*what == '>') { + ci = NULL; +@@ -289,4 +305,5 @@ + api_incr_top(L); + } ++ swapextra(L); + if (strchr(what, 'L')) + collectvalidlines(L, cl); +]] +} + + --[=[ Bug{ what = [[ ]], @@ -3284,3 +3372,5 @@ patch = [[ ]] } ]=] + +