GitHub/lua
1
0
Fork 0
mirror of https://github.com/lua/lua.git synced 2025-01-14 05:43:00 +08:00
Code Issues Projects Releases Wiki Activity

better patch for buffer overflow error

Browse Source
This commit is contained in:
Roberto Ierusalimschy 2004-11-03 10:22:39 -02:00
parent 737ec947d3
commit cfd7bc478f
1 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
bugs
View File

@ -658,14 +658,28 @@ rep129(longs)
patch = [[
* lvm.c:
329c329,331
< tl += tsvalue(top-n-1)->tsv.len;
---
> size_t l = tsvalue(top-n-1)->tsv.len;
> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
> tl += l;
332d333
< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
@@ -321,15 +321,15 @@
luaG_concaterror(L, top-2, top-1);
} else if (tsvalue(top-1)->tsv.len > 0) { /* if len=0, do nothing */
/* at least two string values; get as many as possible */
- lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
- cast(lu_mem, tsvalue(top-2)->tsv.len);
+ size_t tl = tsvalue(top-1)->tsv.len;
char *buffer;
int i;
- while (n < total && tostring(L, top-n-1)) { /* collect total length */
- tl += tsvalue(top-n-1)->tsv.len;
- n++;
+ /* collect total length */
+ for (n = 1; n < total && tostring(L, top-n-1); n++) {
+ size_t l = tsvalue(top-n-1)->tsv.len;
+ if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+ tl += l;
}
- if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
buffer = luaZ_openspace(L, &G(L)->buff, tl);
tl = 0;
for (i=n; i>0; i--) { /* concat all strings */
]]
}