aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlijunlong <lijunlong@openresty.com>2023-07-20 23:47:32 +0800
committerGitHub <noreply@github.com>2023-07-20 23:47:32 +0800
commit2bfad8f5eeb821357d2ada29506e864ff7ec947e (patch)
tree0916a75dbb2b24cee1e558e94d0a4e36fabdcf10
parent881accc8fadca5ec02aa34d364df2a1aa25cd2f9 (diff)
downloadlua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.tar.gz
lua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.tar.bz2
lua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.zip
Bugfix: Lua cjson integer overflow issues (CVE-2022-24834) (#94)2.1.0.13
* Fix integer overflows due to using wrong integer size. * Add assertions / panic when overflow still happens. Co-authored-by: Oran Agra <oran@redislabs.com> Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
-rw-r--r--.travis.yml2
-rw-r--r--lua_cjson.c9
-rw-r--r--strbuf.c110
-rw-r--r--strbuf.h46
4 files changed, 55 insertions, 112 deletions
diff --git a/.travis.yml b/.travis.yml
index 091ff98..469d5dd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,7 +27,7 @@ env:
27 - JOBS=3 27 - JOBS=3
28 - LUAROCKS_VER=2.4.2 28 - LUAROCKS_VER=2.4.2
29 matrix: 29 matrix:
30 #- LUA=1 LUA_DIR=/usr LUA_INCLUDE_DIR=$LUA_DIR/include/lua5.1 30 #- LUA=1 LUA_DIR=/usr LUA_INCLUDE_DIR=$LUA_DIR/include/lua5.1
31 - LUAJIT=1 LUA_DIR=/usr/local LUA_INCLUDE_DIR=$LUA_DIR/include/luajit-2.1 LUA_SUFFIX=--lua-suffix=jit 31 - LUAJIT=1 LUA_DIR=/usr/local LUA_INCLUDE_DIR=$LUA_DIR/include/luajit-2.1 LUA_SUFFIX=--lua-suffix=jit
32 32
33install: 33install:
diff --git a/lua_cjson.c b/lua_cjson.c
index 42672de..363466c 100644
--- a/lua_cjson.c
+++ b/lua_cjson.c
@@ -40,6 +40,7 @@
40#include <stdint.h> 40#include <stdint.h>
41#include <string.h> 41#include <string.h>
42#include <math.h> 42#include <math.h>
43#include <stdint.h>
43#include <limits.h> 44#include <limits.h>
44#include <lua.h> 45#include <lua.h>
45#include <lauxlib.h> 46#include <lauxlib.h>
@@ -179,13 +180,13 @@ typedef struct {
179 180
180typedef struct { 181typedef struct {
181 json_token_type_t type; 182 json_token_type_t type;
182 int index; 183 size_t index;
183 union { 184 union {
184 const char *string; 185 const char *string;
185 double number; 186 double number;
186 int boolean; 187 int boolean;
187 } value; 188 } value;
188 int string_len; 189 size_t string_len;
189} json_token_t; 190} json_token_t;
190 191
191static const char *char2escape[256] = { 192static const char *char2escape[256] = {
@@ -557,6 +558,8 @@ static void json_append_string(lua_State *l, strbuf_t *json, int lindex)
557 * This buffer is reused constantly for small strings 558 * This buffer is reused constantly for small strings
558 * If there are any excess pages, they won't be hit anyway. 559 * If there are any excess pages, they won't be hit anyway.
559 * This gains ~5% speedup. */ 560 * This gains ~5% speedup. */
561 if (len > SIZE_MAX / 6 - 3)
562 abort(); /* Overflow check */
560 strbuf_ensure_empty_length(json, len * 6 + 2); 563 strbuf_ensure_empty_length(json, len * 6 + 2);
561 564
562 strbuf_append_char_unsafe(json, '\"'); 565 strbuf_append_char_unsafe(json, '\"');
@@ -848,7 +851,7 @@ static int json_encode(lua_State *l)
848 strbuf_t local_encode_buf; 851 strbuf_t local_encode_buf;
849 strbuf_t *encode_buf; 852 strbuf_t *encode_buf;
850 char *json; 853 char *json;
851 int len; 854 size_t len;
852 855
853 luaL_argcheck(l, lua_gettop(l) == 1, 1, "expected 1 argument"); 856 luaL_argcheck(l, lua_gettop(l) == 1, 1, "expected 1 argument");
854 857
diff --git a/strbuf.c b/strbuf.c
index ed13367..2dc30be 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -26,6 +26,7 @@
26#include <stdlib.h> 26#include <stdlib.h>
27#include <stdarg.h> 27#include <stdarg.h>
28#include <string.h> 28#include <string.h>
29#include <stdint.h>
29 30
30#include "strbuf.h" 31#include "strbuf.h"
31 32
@@ -38,22 +39,22 @@ static void die(const char *fmt, ...)
38 va_end(arg); 39 va_end(arg);
39 fprintf(stderr, "\n"); 40 fprintf(stderr, "\n");
40 41
41 exit(-1); 42 abort();
42} 43}
43 44
44void strbuf_init(strbuf_t *s, int len) 45void strbuf_init(strbuf_t *s, size_t len)
45{ 46{
46 int size; 47 size_t size;
47 48
48 if (len <= 0) 49 if (!len)
49 size = STRBUF_DEFAULT_SIZE; 50 size = STRBUF_DEFAULT_SIZE;
50 else 51 else
51 size = len + 1; /* \0 terminator */ 52 size = len + 1;
52 53 if (size < len)
54 die("Overflow, len: %zu", len);
53 s->buf = NULL; 55 s->buf = NULL;
54 s->size = size; 56 s->size = size;
55 s->length = 0; 57 s->length = 0;
56 s->increment = STRBUF_DEFAULT_INCREMENT;
57 s->dynamic = 0; 58 s->dynamic = 0;
58 s->reallocs = 0; 59 s->reallocs = 0;
59 s->debug = 0; 60 s->debug = 0;
@@ -65,7 +66,7 @@ void strbuf_init(strbuf_t *s, int len)
65 strbuf_ensure_null(s); 66 strbuf_ensure_null(s);
66} 67}
67 68
68strbuf_t *strbuf_new(int len) 69strbuf_t *strbuf_new(size_t len)
69{ 70{
70 strbuf_t *s; 71 strbuf_t *s;
71 72
@@ -81,20 +82,10 @@ strbuf_t *strbuf_new(int len)
81 return s; 82 return s;
82} 83}
83 84
84void strbuf_set_increment(strbuf_t *s, int increment)
85{
86 /* Increment > 0: Linear buffer growth rate
87 * Increment < -1: Exponential buffer growth rate */
88 if (increment == 0 || increment == -1)
89 die("BUG: Invalid string increment");
90
91 s->increment = increment;
92}
93
94static inline void debug_stats(strbuf_t *s) 85static inline void debug_stats(strbuf_t *s)
95{ 86{
96 if (s->debug) { 87 if (s->debug) {
97 fprintf(stderr, "strbuf(%lx) reallocs: %d, length: %d, size: %d\n", 88 fprintf(stderr, "strbuf(%lx) reallocs: %d, length: %zd, size: %zd\n",
98 (long)s, s->reallocs, s->length, s->size); 89 (long)s, s->reallocs, s->length, s->size);
99 } 90 }
100} 91}
@@ -113,7 +104,7 @@ void strbuf_free(strbuf_t *s)
113 free(s); 104 free(s);
114} 105}
115 106
116char *strbuf_free_to_string(strbuf_t *s, int *len) 107char *strbuf_free_to_string(strbuf_t *s, size_t *len)
117{ 108{
118 char *buf; 109 char *buf;
119 110
@@ -131,57 +122,63 @@ char *strbuf_free_to_string(strbuf_t *s, int *len)
131 return buf; 122 return buf;
132} 123}
133 124
134static int calculate_new_size(strbuf_t *s, int len) 125static size_t calculate_new_size(strbuf_t *s, size_t len)
135{ 126{
136 int reqsize, newsize; 127 size_t reqsize, newsize;
137 128
138 if (len <= 0) 129 if (len <= 0)
139 die("BUG: Invalid strbuf length requested"); 130 die("BUG: Invalid strbuf length requested");
140 131
141 /* Ensure there is room for optional NULL termination */ 132 /* Ensure there is room for optional NULL termination */
142 reqsize = len + 1; 133 reqsize = len + 1;
134 if (reqsize < len)
135 die("Overflow, len: %zu", len);
143 136
144 /* If the user has requested to shrink the buffer, do it exactly */ 137 /* If the user has requested to shrink the buffer, do it exactly */
145 if (s->size > reqsize) 138 if (s->size > reqsize)
146 return reqsize; 139 return reqsize;
147 140
148 newsize = s->size; 141 newsize = s->size;
149 if (s->increment < 0) { 142 if (reqsize >= SIZE_MAX / 2) {
143 newsize = reqsize;
144 } else {
150 /* Exponential sizing */ 145 /* Exponential sizing */
151 while (newsize < reqsize) 146 while (newsize < reqsize)
152 newsize *= -s->increment; 147 newsize *= 2;
153 } else if (s->increment != 0) {
154 /* Linear sizing */
155 newsize = ((newsize + s->increment - 1) / s->increment) * s->increment;
156 } 148 }
157 149
150 if (newsize < reqsize)
151 die("BUG: strbuf length would overflow, len: %zu", len);
152
153
158 return newsize; 154 return newsize;
159} 155}
160 156
161 157
162/* Ensure strbuf can handle a string length bytes long (ignoring NULL 158/* Ensure strbuf can handle a string length bytes long (ignoring NULL
163 * optional termination). */ 159 * optional termination). */
164void strbuf_resize(strbuf_t *s, int len) 160void strbuf_resize(strbuf_t *s, size_t len)
165{ 161{
166 int newsize; 162 size_t newsize;
167 163
168 newsize = calculate_new_size(s, len); 164 newsize = calculate_new_size(s, len);
169 165
170 if (s->debug > 1) { 166 if (s->debug > 1) {
171 fprintf(stderr, "strbuf(%lx) resize: %d => %d\n", 167 fprintf(stderr, "strbuf(%lx) resize: %zd => %zd\n",
172 (long)s, s->size, newsize); 168 (long)s, s->size, newsize);
173 } 169 }
174 170
175 s->size = newsize; 171 s->size = newsize;
176 s->buf = realloc(s->buf, s->size); 172 s->buf = realloc(s->buf, s->size);
177 if (!s->buf) 173 if (!s->buf)
178 die("Out of memory"); 174 die("Out of memory, len: %zu", len);
179 s->reallocs++; 175 s->reallocs++;
180} 176}
181 177
182void strbuf_append_string(strbuf_t *s, const char *str) 178void strbuf_append_string(strbuf_t *s, const char *str)
183{ 179{
184 int space, i; 180 int i;
181 size_t space;
185 182
186 space = strbuf_empty_length(s); 183 space = strbuf_empty_length(s);
187 184
@@ -197,55 +194,6 @@ void strbuf_append_string(strbuf_t *s, const char *str)
197 } 194 }
198} 195}
199 196
200/* strbuf_append_fmt() should only be used when an upper bound
201 * is known for the output string. */
202void strbuf_append_fmt(strbuf_t *s, int len, const char *fmt, ...)
203{
204 va_list arg;
205 int fmt_len;
206
207 strbuf_ensure_empty_length(s, len);
208
209 va_start(arg, fmt);
210 fmt_len = vsnprintf(s->buf + s->length, len, fmt, arg);
211 va_end(arg);
212
213 if (fmt_len < 0)
214 die("BUG: Unable to convert number"); /* This should never happen.. */
215
216 s->length += fmt_len;
217}
218
219/* strbuf_append_fmt_retry() can be used when the there is no known
220 * upper bound for the output string. */
221void strbuf_append_fmt_retry(strbuf_t *s, const char *fmt, ...)
222{
223 va_list arg;
224 int fmt_len, try;
225 int empty_len;
226
227 /* If the first attempt to append fails, resize the buffer appropriately
228 * and try again */
229 for (try = 0; ; try++) {
230 va_start(arg, fmt);
231 /* Append the new formatted string */
232 /* fmt_len is the length of the string required, excluding the
233 * trailing NULL */
234 empty_len = strbuf_empty_length(s);
235 /* Add 1 since there is also space to store the terminating NULL. */
236 fmt_len = vsnprintf(s->buf + s->length, empty_len + 1, fmt, arg);
237 va_end(arg);
238
239 if (fmt_len <= empty_len)
240 break; /* SUCCESS */
241 if (try > 0)
242 die("BUG: length of formatted string changed");
243
244 strbuf_resize(s, s->length + fmt_len);
245 }
246
247 s->length += fmt_len;
248}
249 197
250/* vi:ai et sw=4 ts=4: 198/* vi:ai et sw=4 ts=4:
251 */ 199 */
diff --git a/strbuf.h b/strbuf.h
index a98ee22..d77e0f4 100644
--- a/strbuf.h
+++ b/strbuf.h
@@ -32,15 +32,13 @@
32 32
33/* Size: Total bytes allocated to *buf 33/* Size: Total bytes allocated to *buf
34 * Length: String length, excluding optional NULL terminator. 34 * Length: String length, excluding optional NULL terminator.
35 * Increment: Allocation increments when resizing the string buffer.
36 * Dynamic: True if created via strbuf_new() 35 * Dynamic: True if created via strbuf_new()
37 */ 36 */
38 37
39typedef struct { 38typedef struct {
40 char *buf; 39 char *buf;
41 int size; 40 size_t size;
42 int length; 41 size_t length;
43 int increment;
44 int dynamic; 42 int dynamic;
45 int reallocs; 43 int reallocs;
46 int debug; 44 int debug;
@@ -49,33 +47,27 @@ typedef struct {
49#ifndef STRBUF_DEFAULT_SIZE 47#ifndef STRBUF_DEFAULT_SIZE
50#define STRBUF_DEFAULT_SIZE 1023 48#define STRBUF_DEFAULT_SIZE 1023
51#endif 49#endif
52#ifndef STRBUF_DEFAULT_INCREMENT
53#define STRBUF_DEFAULT_INCREMENT -2
54#endif
55 50
56/* Initialise */ 51/* Initialise */
57extern strbuf_t *strbuf_new(int len); 52extern strbuf_t *strbuf_new(size_t len);
58extern void strbuf_init(strbuf_t *s, int len); 53extern void strbuf_init(strbuf_t *s, size_t len);
59extern void strbuf_set_increment(strbuf_t *s, int increment);
60 54
61/* Release */ 55/* Release */
62extern void strbuf_free(strbuf_t *s); 56extern void strbuf_free(strbuf_t *s);
63extern char *strbuf_free_to_string(strbuf_t *s, int *len); 57extern char *strbuf_free_to_string(strbuf_t *s, size_t *len);
64 58
65/* Management */ 59/* Management */
66extern void strbuf_resize(strbuf_t *s, int len); 60extern void strbuf_resize(strbuf_t *s, size_t len);
67static int strbuf_empty_length(strbuf_t *s); 61static size_t strbuf_empty_length(strbuf_t *s);
68static int strbuf_length(strbuf_t *s); 62static size_t strbuf_length(strbuf_t *s);
69static char *strbuf_string(strbuf_t *s, int *len); 63static char *strbuf_string(strbuf_t *s, size_t *len);
70static void strbuf_ensure_empty_length(strbuf_t *s, int len); 64static void strbuf_ensure_empty_length(strbuf_t *s, size_t len);
71static char *strbuf_empty_ptr(strbuf_t *s); 65static char *strbuf_empty_ptr(strbuf_t *s);
72static void strbuf_extend_length(strbuf_t *s, int len); 66static void strbuf_extend_length(strbuf_t *s, size_t len);
73static void strbuf_set_length(strbuf_t *s, int len); 67static void strbuf_set_length(strbuf_t *s, int len);
74 68
75/* Update */ 69/* Update */
76extern void strbuf_append_fmt(strbuf_t *s, int len, const char *fmt, ...); 70static void strbuf_append_mem(strbuf_t *s, const char *c, size_t len);
77extern void strbuf_append_fmt_retry(strbuf_t *s, const char *format, ...);
78static void strbuf_append_mem(strbuf_t *s, const char *c, int len);
79extern void strbuf_append_string(strbuf_t *s, const char *str); 71extern void strbuf_append_string(strbuf_t *s, const char *str);
80static void strbuf_append_char(strbuf_t *s, const char c); 72static void strbuf_append_char(strbuf_t *s, const char c);
81static void strbuf_ensure_null(strbuf_t *s); 73static void strbuf_ensure_null(strbuf_t *s);
@@ -93,12 +85,12 @@ static inline int strbuf_allocated(strbuf_t *s)
93 85
94/* Return bytes remaining in the string buffer 86/* Return bytes remaining in the string buffer
95 * Ensure there is space for a NULL terminator. */ 87 * Ensure there is space for a NULL terminator. */
96static inline int strbuf_empty_length(strbuf_t *s) 88static inline size_t strbuf_empty_length(strbuf_t *s)
97{ 89{
98 return s->size - s->length - 1; 90 return s->size - s->length - 1;
99} 91}
100 92
101static inline void strbuf_ensure_empty_length(strbuf_t *s, int len) 93static inline void strbuf_ensure_empty_length(strbuf_t *s, size_t len)
102{ 94{
103 if (len > strbuf_empty_length(s)) 95 if (len > strbuf_empty_length(s))
104 strbuf_resize(s, s->length + len); 96 strbuf_resize(s, s->length + len);
@@ -114,12 +106,12 @@ static inline void strbuf_set_length(strbuf_t *s, int len)
114 s->length = len; 106 s->length = len;
115} 107}
116 108
117static inline void strbuf_extend_length(strbuf_t *s, int len) 109static inline void strbuf_extend_length(strbuf_t *s, size_t len)
118{ 110{
119 s->length += len; 111 s->length += len;
120} 112}
121 113
122static inline int strbuf_length(strbuf_t *s) 114static inline size_t strbuf_length(strbuf_t *s)
123{ 115{
124 return s->length; 116 return s->length;
125} 117}
@@ -135,14 +127,14 @@ static inline void strbuf_append_char_unsafe(strbuf_t *s, const char c)
135 s->buf[s->length++] = c; 127 s->buf[s->length++] = c;
136} 128}
137 129
138static inline void strbuf_append_mem(strbuf_t *s, const char *c, int len) 130static inline void strbuf_append_mem(strbuf_t *s, const char *c, size_t len)
139{ 131{
140 strbuf_ensure_empty_length(s, len); 132 strbuf_ensure_empty_length(s, len);
141 memcpy(s->buf + s->length, c, len); 133 memcpy(s->buf + s->length, c, len);
142 s->length += len; 134 s->length += len;
143} 135}
144 136
145static inline void strbuf_append_mem_unsafe(strbuf_t *s, const char *c, int len) 137static inline void strbuf_append_mem_unsafe(strbuf_t *s, const char *c, size_t len)
146{ 138{
147 memcpy(s->buf + s->length, c, len); 139 memcpy(s->buf + s->length, c, len);
148 s->length += len; 140 s->length += len;
@@ -153,7 +145,7 @@ static inline void strbuf_ensure_null(strbuf_t *s)
153 s->buf[s->length] = 0; 145 s->buf[s->length] = 0;
154} 146}
155 147
156static inline char *strbuf_string(strbuf_t *s, int *len) 148static inline char *strbuf_string(strbuf_t *s, size_t *len)
157{ 149{
158 if (len) 150 if (len)
159 *len = s->length; 151 *len = s->length;