GitHub/lua
1
0
Fork 0
mirror of https://github.com/lua/lua.git synced 2025-02-04 06:13:04 +08:00
Code Issues Projects Releases Wiki Activity

bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate

Browse Source 
up to 60 characters in a `printf'. That causes a buffer overflow in
`tostring'..
This commit is contained in:
Roberto Ierusalimschy 2003-08-25 16:49:47 -03:00
parent 97af24ea32
commit 64066359dd
2 changed files with 25 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
lbaselib.c
View File

@ -1,5 +1,5 @@
/* /*
** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $ ** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
** Basic library ** Basic library
** See Copyright Notice in lua.h ** See Copyright Notice in lua.h
*/ */
@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {
static int luaB_tostring (lua_State *L) { static int luaB_tostring (lua_State *L) {
char buff[64]; char buff[4*sizeof(void *) + 2]; /* enough space for a `%p' */
const char *tn = "";
const void *p = NULL;
luaL_checkany(L, 1); luaL_checkany(L, 1);
if (luaL_callmeta(L, 1, "__tostring")) /* is there a metafield? */ if (luaL_callmeta(L, 1, "__tostring")) /* is there a metafield? */
return 1; /* use its value */ return 1; /* use its value */
@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
case LUA_TBOOLEAN: case LUA_TBOOLEAN:
lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false")); lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
return 1; return 1;
case LUA_TTABLE:
sprintf(buff, "table: %p", lua_topointer(L, 1));
break;
case LUA_TFUNCTION:
sprintf(buff, "function: %p", lua_topointer(L, 1));
break;
case LUA_TUSERDATA:
case LUA_TLIGHTUSERDATA:
sprintf(buff, "userdata: %p", lua_touserdata(L, 1));
break;
case LUA_TTHREAD:
sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1));
break;
case LUA_TNIL: case LUA_TNIL:
lua_pushliteral(L, "nil"); lua_pushliteral(L, "nil");
return 1; return 1;
case LUA_TTABLE:
p = lua_topointer(L, 1);
tn = "table";
break;
case LUA_TFUNCTION:
p = lua_topointer(L, 1);
tn = "function";
break;
case LUA_TUSERDATA:
case LUA_TLIGHTUSERDATA:
p = lua_touserdata(L, 1);
tn = "userdata";
break;
case LUA_TTHREAD:
p = lua_tothread(L, 1);
tn = "thread";
break;
} }
lua_pushstring(L, buff); sprintf(buff, "%p", p);
lua_pushfstring(L, "%s: %s", tn, buff);
return 1; return 1;
} }

4
liolib.c
View File

@ -1,5 +1,5 @@
/* /*
** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $ ** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
** Standard I/O (and system) library ** Standard I/O (and system) library
** See Copyright Notice in lua.h ** See Copyright Notice in lua.h
*/ */
@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {
static int io_tostring (lua_State *L) { static int io_tostring (lua_State *L) {
char buff[32]; char buff[4*sizeof(void *) + 2]; /* enough space for a `%p' */
FILE **f = topfile(L, 1); FILE **f = topfile(L, 1);
if (*f == NULL) if (*f == NULL)
strcpy(buff, "closed"); strcpy(buff, "closed");