diff options
author | lijunlong <lijunlong@openresty.com> | 2023-07-20 23:47:32 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-20 23:47:32 +0800 |
commit | 2bfad8f5eeb821357d2ada29506e864ff7ec947e (patch) | |
tree | 0916a75dbb2b24cee1e558e94d0a4e36fabdcf10 | |
parent | 881accc8fadca5ec02aa34d364df2a1aa25cd2f9 (diff) | |
download | lua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.tar.gz lua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.tar.bz2 lua-cjson-2bfad8f5eeb821357d2ada29506e864ff7ec947e.zip |
Bugfix: Lua cjson integer overflow issues (CVE-2022-24834) (#94)2.1.0.13
* Fix integer overflows due to using wrong integer size.
* Add assertions / panic when overflow still happens.
Co-authored-by: Oran Agra <oran@redislabs.com>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
-rw-r--r-- | .travis.yml | 2 | ||||
-rw-r--r-- | lua_cjson.c | 9 | ||||
-rw-r--r-- | strbuf.c | 110 | ||||
-rw-r--r-- | strbuf.h | 46 |
4 files changed, 55 insertions, 112 deletions
diff --git a/.travis.yml b/.travis.yml index 091ff98..469d5dd 100644 --- a/.travis.yml +++ b/.travis.yml | |||
@@ -27,7 +27,7 @@ env: | |||
27 | - JOBS=3 | 27 | - JOBS=3 |
28 | - LUAROCKS_VER=2.4.2 | 28 | - LUAROCKS_VER=2.4.2 |
29 | matrix: | 29 | matrix: |
30 | #- LUA=1 LUA_DIR=/usr LUA_INCLUDE_DIR=$LUA_DIR/include/lua5.1 | 30 | #- LUA=1 LUA_DIR=/usr LUA_INCLUDE_DIR=$LUA_DIR/include/lua5.1 |
31 | - LUAJIT=1 LUA_DIR=/usr/local LUA_INCLUDE_DIR=$LUA_DIR/include/luajit-2.1 LUA_SUFFIX=--lua-suffix=jit | 31 | - LUAJIT=1 LUA_DIR=/usr/local LUA_INCLUDE_DIR=$LUA_DIR/include/luajit-2.1 LUA_SUFFIX=--lua-suffix=jit |
32 | 32 | ||
33 | install: | 33 | install: |
diff --git a/lua_cjson.c b/lua_cjson.c index 42672de..363466c 100644 --- a/lua_cjson.c +++ b/lua_cjson.c | |||
@@ -40,6 +40,7 @@ | |||
40 | #include <stdint.h> | 40 | #include <stdint.h> |
41 | #include <string.h> | 41 | #include <string.h> |
42 | #include <math.h> | 42 | #include <math.h> |
43 | #include <stdint.h> | ||
43 | #include <limits.h> | 44 | #include <limits.h> |
44 | #include <lua.h> | 45 | #include <lua.h> |
45 | #include <lauxlib.h> | 46 | #include <lauxlib.h> |
@@ -179,13 +180,13 @@ typedef struct { | |||
179 | 180 | ||
180 | typedef struct { | 181 | typedef struct { |
181 | json_token_type_t type; | 182 | json_token_type_t type; |
182 | int index; | 183 | size_t index; |
183 | union { | 184 | union { |
184 | const char *string; | 185 | const char *string; |
185 | double number; | 186 | double number; |
186 | int boolean; | 187 | int boolean; |
187 | } value; | 188 | } value; |
188 | int string_len; | 189 | size_t string_len; |
189 | } json_token_t; | 190 | } json_token_t; |
190 | 191 | ||
191 | static const char *char2escape[256] = { | 192 | static const char *char2escape[256] = { |
@@ -557,6 +558,8 @@ static void json_append_string(lua_State *l, strbuf_t *json, int lindex) | |||
557 | * This buffer is reused constantly for small strings | 558 | * This buffer is reused constantly for small strings |
558 | * If there are any excess pages, they won't be hit anyway. | 559 | * If there are any excess pages, they won't be hit anyway. |
559 | * This gains ~5% speedup. */ | 560 | * This gains ~5% speedup. */ |
561 | if (len > SIZE_MAX / 6 - 3) | ||
562 | abort(); /* Overflow check */ | ||
560 | strbuf_ensure_empty_length(json, len * 6 + 2); | 563 | strbuf_ensure_empty_length(json, len * 6 + 2); |
561 | 564 | ||
562 | strbuf_append_char_unsafe(json, '\"'); | 565 | strbuf_append_char_unsafe(json, '\"'); |
@@ -848,7 +851,7 @@ static int json_encode(lua_State *l) | |||
848 | strbuf_t local_encode_buf; | 851 | strbuf_t local_encode_buf; |
849 | strbuf_t *encode_buf; | 852 | strbuf_t *encode_buf; |
850 | char *json; | 853 | char *json; |
851 | int len; | 854 | size_t len; |
852 | 855 | ||
853 | luaL_argcheck(l, lua_gettop(l) == 1, 1, "expected 1 argument"); | 856 | luaL_argcheck(l, lua_gettop(l) == 1, 1, "expected 1 argument"); |
854 | 857 | ||
@@ -26,6 +26,7 @@ | |||
26 | #include <stdlib.h> | 26 | #include <stdlib.h> |
27 | #include <stdarg.h> | 27 | #include <stdarg.h> |
28 | #include <string.h> | 28 | #include <string.h> |
29 | #include <stdint.h> | ||
29 | 30 | ||
30 | #include "strbuf.h" | 31 | #include "strbuf.h" |
31 | 32 | ||
@@ -38,22 +39,22 @@ static void die(const char *fmt, ...) | |||
38 | va_end(arg); | 39 | va_end(arg); |
39 | fprintf(stderr, "\n"); | 40 | fprintf(stderr, "\n"); |
40 | 41 | ||
41 | exit(-1); | 42 | abort(); |
42 | } | 43 | } |
43 | 44 | ||
44 | void strbuf_init(strbuf_t *s, int len) | 45 | void strbuf_init(strbuf_t *s, size_t len) |
45 | { | 46 | { |
46 | int size; | 47 | size_t size; |
47 | 48 | ||
48 | if (len <= 0) | 49 | if (!len) |
49 | size = STRBUF_DEFAULT_SIZE; | 50 | size = STRBUF_DEFAULT_SIZE; |
50 | else | 51 | else |
51 | size = len + 1; /* \0 terminator */ | 52 | size = len + 1; |
52 | 53 | if (size < len) | |
54 | die("Overflow, len: %zu", len); | ||
53 | s->buf = NULL; | 55 | s->buf = NULL; |
54 | s->size = size; | 56 | s->size = size; |
55 | s->length = 0; | 57 | s->length = 0; |
56 | s->increment = STRBUF_DEFAULT_INCREMENT; | ||
57 | s->dynamic = 0; | 58 | s->dynamic = 0; |
58 | s->reallocs = 0; | 59 | s->reallocs = 0; |
59 | s->debug = 0; | 60 | s->debug = 0; |
@@ -65,7 +66,7 @@ void strbuf_init(strbuf_t *s, int len) | |||
65 | strbuf_ensure_null(s); | 66 | strbuf_ensure_null(s); |
66 | } | 67 | } |
67 | 68 | ||
68 | strbuf_t *strbuf_new(int len) | 69 | strbuf_t *strbuf_new(size_t len) |
69 | { | 70 | { |
70 | strbuf_t *s; | 71 | strbuf_t *s; |
71 | 72 | ||
@@ -81,20 +82,10 @@ strbuf_t *strbuf_new(int len) | |||
81 | return s; | 82 | return s; |
82 | } | 83 | } |
83 | 84 | ||
84 | void strbuf_set_increment(strbuf_t *s, int increment) | ||
85 | { | ||
86 | /* Increment > 0: Linear buffer growth rate | ||
87 | * Increment < -1: Exponential buffer growth rate */ | ||
88 | if (increment == 0 || increment == -1) | ||
89 | die("BUG: Invalid string increment"); | ||
90 | |||
91 | s->increment = increment; | ||
92 | } | ||
93 | |||
94 | static inline void debug_stats(strbuf_t *s) | 85 | static inline void debug_stats(strbuf_t *s) |
95 | { | 86 | { |
96 | if (s->debug) { | 87 | if (s->debug) { |
97 | fprintf(stderr, "strbuf(%lx) reallocs: %d, length: %d, size: %d\n", | 88 | fprintf(stderr, "strbuf(%lx) reallocs: %d, length: %zd, size: %zd\n", |
98 | (long)s, s->reallocs, s->length, s->size); | 89 | (long)s, s->reallocs, s->length, s->size); |
99 | } | 90 | } |
100 | } | 91 | } |
@@ -113,7 +104,7 @@ void strbuf_free(strbuf_t *s) | |||
113 | free(s); | 104 | free(s); |
114 | } | 105 | } |
115 | 106 | ||
116 | char *strbuf_free_to_string(strbuf_t *s, int *len) | 107 | char *strbuf_free_to_string(strbuf_t *s, size_t *len) |
117 | { | 108 | { |
118 | char *buf; | 109 | char *buf; |
119 | 110 | ||
@@ -131,57 +122,63 @@ char *strbuf_free_to_string(strbuf_t *s, int *len) | |||
131 | return buf; | 122 | return buf; |
132 | } | 123 | } |
133 | 124 | ||
134 | static int calculate_new_size(strbuf_t *s, int len) | 125 | static size_t calculate_new_size(strbuf_t *s, size_t len) |
135 | { | 126 | { |
136 | int reqsize, newsize; | 127 | size_t reqsize, newsize; |
137 | 128 | ||
138 | if (len <= 0) | 129 | if (len <= 0) |
139 | die("BUG: Invalid strbuf length requested"); | 130 | die("BUG: Invalid strbuf length requested"); |
140 | 131 | ||
141 | /* Ensure there is room for optional NULL termination */ | 132 | /* Ensure there is room for optional NULL termination */ |
142 | reqsize = len + 1; | 133 | reqsize = len + 1; |
134 | if (reqsize < len) | ||
135 | die("Overflow, len: %zu", len); | ||
143 | 136 | ||
144 | /* If the user has requested to shrink the buffer, do it exactly */ | 137 | /* If the user has requested to shrink the buffer, do it exactly */ |
145 | if (s->size > reqsize) | 138 | if (s->size > reqsize) |
146 | return reqsize; | 139 | return reqsize; |
147 | 140 | ||
148 | newsize = s->size; | 141 | newsize = s->size; |
149 | if (s->increment < 0) { | 142 | if (reqsize >= SIZE_MAX / 2) { |
143 | newsize = reqsize; | ||
144 | } else { | ||
150 | /* Exponential sizing */ | 145 | /* Exponential sizing */ |
151 | while (newsize < reqsize) | 146 | while (newsize < reqsize) |
152 | newsize *= -s->increment; | 147 | newsize *= 2; |
153 | } else if (s->increment != 0) { | ||
154 | /* Linear sizing */ | ||
155 | newsize = ((newsize + s->increment - 1) / s->increment) * s->increment; | ||
156 | } | 148 | } |
157 | 149 | ||
150 | if (newsize < reqsize) | ||
151 | die("BUG: strbuf length would overflow, len: %zu", len); | ||
152 | |||
153 | |||
158 | return newsize; | 154 | return newsize; |
159 | } | 155 | } |
160 | 156 | ||
161 | 157 | ||
162 | /* Ensure strbuf can handle a string length bytes long (ignoring NULL | 158 | /* Ensure strbuf can handle a string length bytes long (ignoring NULL |
163 | * optional termination). */ | 159 | * optional termination). */ |
164 | void strbuf_resize(strbuf_t *s, int len) | 160 | void strbuf_resize(strbuf_t *s, size_t len) |
165 | { | 161 | { |
166 | int newsize; | 162 | size_t newsize; |
167 | 163 | ||
168 | newsize = calculate_new_size(s, len); | 164 | newsize = calculate_new_size(s, len); |
169 | 165 | ||
170 | if (s->debug > 1) { | 166 | if (s->debug > 1) { |
171 | fprintf(stderr, "strbuf(%lx) resize: %d => %d\n", | 167 | fprintf(stderr, "strbuf(%lx) resize: %zd => %zd\n", |
172 | (long)s, s->size, newsize); | 168 | (long)s, s->size, newsize); |
173 | } | 169 | } |
174 | 170 | ||
175 | s->size = newsize; | 171 | s->size = newsize; |
176 | s->buf = realloc(s->buf, s->size); | 172 | s->buf = realloc(s->buf, s->size); |
177 | if (!s->buf) | 173 | if (!s->buf) |
178 | die("Out of memory"); | 174 | die("Out of memory, len: %zu", len); |
179 | s->reallocs++; | 175 | s->reallocs++; |
180 | } | 176 | } |
181 | 177 | ||
182 | void strbuf_append_string(strbuf_t *s, const char *str) | 178 | void strbuf_append_string(strbuf_t *s, const char *str) |
183 | { | 179 | { |
184 | int space, i; | 180 | int i; |
181 | size_t space; | ||
185 | 182 | ||
186 | space = strbuf_empty_length(s); | 183 | space = strbuf_empty_length(s); |
187 | 184 | ||
@@ -197,55 +194,6 @@ void strbuf_append_string(strbuf_t *s, const char *str) | |||
197 | } | 194 | } |
198 | } | 195 | } |
199 | 196 | ||
200 | /* strbuf_append_fmt() should only be used when an upper bound | ||
201 | * is known for the output string. */ | ||
202 | void strbuf_append_fmt(strbuf_t *s, int len, const char *fmt, ...) | ||
203 | { | ||
204 | va_list arg; | ||
205 | int fmt_len; | ||
206 | |||
207 | strbuf_ensure_empty_length(s, len); | ||
208 | |||
209 | va_start(arg, fmt); | ||
210 | fmt_len = vsnprintf(s->buf + s->length, len, fmt, arg); | ||
211 | va_end(arg); | ||
212 | |||
213 | if (fmt_len < 0) | ||
214 | die("BUG: Unable to convert number"); /* This should never happen.. */ | ||
215 | |||
216 | s->length += fmt_len; | ||
217 | } | ||
218 | |||
219 | /* strbuf_append_fmt_retry() can be used when the there is no known | ||
220 | * upper bound for the output string. */ | ||
221 | void strbuf_append_fmt_retry(strbuf_t *s, const char *fmt, ...) | ||
222 | { | ||
223 | va_list arg; | ||
224 | int fmt_len, try; | ||
225 | int empty_len; | ||
226 | |||
227 | /* If the first attempt to append fails, resize the buffer appropriately | ||
228 | * and try again */ | ||
229 | for (try = 0; ; try++) { | ||
230 | va_start(arg, fmt); | ||
231 | /* Append the new formatted string */ | ||
232 | /* fmt_len is the length of the string required, excluding the | ||
233 | * trailing NULL */ | ||
234 | empty_len = strbuf_empty_length(s); | ||
235 | /* Add 1 since there is also space to store the terminating NULL. */ | ||
236 | fmt_len = vsnprintf(s->buf + s->length, empty_len + 1, fmt, arg); | ||
237 | va_end(arg); | ||
238 | |||
239 | if (fmt_len <= empty_len) | ||
240 | break; /* SUCCESS */ | ||
241 | if (try > 0) | ||
242 | die("BUG: length of formatted string changed"); | ||
243 | |||
244 | strbuf_resize(s, s->length + fmt_len); | ||
245 | } | ||
246 | |||
247 | s->length += fmt_len; | ||
248 | } | ||
249 | 197 | ||
250 | /* vi:ai et sw=4 ts=4: | 198 | /* vi:ai et sw=4 ts=4: |
251 | */ | 199 | */ |
@@ -32,15 +32,13 @@ | |||
32 | 32 | ||
33 | /* Size: Total bytes allocated to *buf | 33 | /* Size: Total bytes allocated to *buf |
34 | * Length: String length, excluding optional NULL terminator. | 34 | * Length: String length, excluding optional NULL terminator. |
35 | * Increment: Allocation increments when resizing the string buffer. | ||
36 | * Dynamic: True if created via strbuf_new() | 35 | * Dynamic: True if created via strbuf_new() |
37 | */ | 36 | */ |
38 | 37 | ||
39 | typedef struct { | 38 | typedef struct { |
40 | char *buf; | 39 | char *buf; |
41 | int size; | 40 | size_t size; |
42 | int length; | 41 | size_t length; |
43 | int increment; | ||
44 | int dynamic; | 42 | int dynamic; |
45 | int reallocs; | 43 | int reallocs; |
46 | int debug; | 44 | int debug; |
@@ -49,33 +47,27 @@ typedef struct { | |||
49 | #ifndef STRBUF_DEFAULT_SIZE | 47 | #ifndef STRBUF_DEFAULT_SIZE |
50 | #define STRBUF_DEFAULT_SIZE 1023 | 48 | #define STRBUF_DEFAULT_SIZE 1023 |
51 | #endif | 49 | #endif |
52 | #ifndef STRBUF_DEFAULT_INCREMENT | ||
53 | #define STRBUF_DEFAULT_INCREMENT -2 | ||
54 | #endif | ||
55 | 50 | ||
56 | /* Initialise */ | 51 | /* Initialise */ |
57 | extern strbuf_t *strbuf_new(int len); | 52 | extern strbuf_t *strbuf_new(size_t len); |
58 | extern void strbuf_init(strbuf_t *s, int len); | 53 | extern void strbuf_init(strbuf_t *s, size_t len); |
59 | extern void strbuf_set_increment(strbuf_t *s, int increment); | ||
60 | 54 | ||
61 | /* Release */ | 55 | /* Release */ |
62 | extern void strbuf_free(strbuf_t *s); | 56 | extern void strbuf_free(strbuf_t *s); |
63 | extern char *strbuf_free_to_string(strbuf_t *s, int *len); | 57 | extern char *strbuf_free_to_string(strbuf_t *s, size_t *len); |
64 | 58 | ||
65 | /* Management */ | 59 | /* Management */ |
66 | extern void strbuf_resize(strbuf_t *s, int len); | 60 | extern void strbuf_resize(strbuf_t *s, size_t len); |
67 | static int strbuf_empty_length(strbuf_t *s); | 61 | static size_t strbuf_empty_length(strbuf_t *s); |
68 | static int strbuf_length(strbuf_t *s); | 62 | static size_t strbuf_length(strbuf_t *s); |
69 | static char *strbuf_string(strbuf_t *s, int *len); | 63 | static char *strbuf_string(strbuf_t *s, size_t *len); |
70 | static void strbuf_ensure_empty_length(strbuf_t *s, int len); | 64 | static void strbuf_ensure_empty_length(strbuf_t *s, size_t len); |
71 | static char *strbuf_empty_ptr(strbuf_t *s); | 65 | static char *strbuf_empty_ptr(strbuf_t *s); |
72 | static void strbuf_extend_length(strbuf_t *s, int len); | 66 | static void strbuf_extend_length(strbuf_t *s, size_t len); |
73 | static void strbuf_set_length(strbuf_t *s, int len); | 67 | static void strbuf_set_length(strbuf_t *s, int len); |
74 | 68 | ||
75 | /* Update */ | 69 | /* Update */ |
76 | extern void strbuf_append_fmt(strbuf_t *s, int len, const char *fmt, ...); | 70 | static void strbuf_append_mem(strbuf_t *s, const char *c, size_t len); |
77 | extern void strbuf_append_fmt_retry(strbuf_t *s, const char *format, ...); | ||
78 | static void strbuf_append_mem(strbuf_t *s, const char *c, int len); | ||
79 | extern void strbuf_append_string(strbuf_t *s, const char *str); | 71 | extern void strbuf_append_string(strbuf_t *s, const char *str); |
80 | static void strbuf_append_char(strbuf_t *s, const char c); | 72 | static void strbuf_append_char(strbuf_t *s, const char c); |
81 | static void strbuf_ensure_null(strbuf_t *s); | 73 | static void strbuf_ensure_null(strbuf_t *s); |
@@ -93,12 +85,12 @@ static inline int strbuf_allocated(strbuf_t *s) | |||
93 | 85 | ||
94 | /* Return bytes remaining in the string buffer | 86 | /* Return bytes remaining in the string buffer |
95 | * Ensure there is space for a NULL terminator. */ | 87 | * Ensure there is space for a NULL terminator. */ |
96 | static inline int strbuf_empty_length(strbuf_t *s) | 88 | static inline size_t strbuf_empty_length(strbuf_t *s) |
97 | { | 89 | { |
98 | return s->size - s->length - 1; | 90 | return s->size - s->length - 1; |
99 | } | 91 | } |
100 | 92 | ||
101 | static inline void strbuf_ensure_empty_length(strbuf_t *s, int len) | 93 | static inline void strbuf_ensure_empty_length(strbuf_t *s, size_t len) |
102 | { | 94 | { |
103 | if (len > strbuf_empty_length(s)) | 95 | if (len > strbuf_empty_length(s)) |
104 | strbuf_resize(s, s->length + len); | 96 | strbuf_resize(s, s->length + len); |
@@ -114,12 +106,12 @@ static inline void strbuf_set_length(strbuf_t *s, int len) | |||
114 | s->length = len; | 106 | s->length = len; |
115 | } | 107 | } |
116 | 108 | ||
117 | static inline void strbuf_extend_length(strbuf_t *s, int len) | 109 | static inline void strbuf_extend_length(strbuf_t *s, size_t len) |
118 | { | 110 | { |
119 | s->length += len; | 111 | s->length += len; |
120 | } | 112 | } |
121 | 113 | ||
122 | static inline int strbuf_length(strbuf_t *s) | 114 | static inline size_t strbuf_length(strbuf_t *s) |
123 | { | 115 | { |
124 | return s->length; | 116 | return s->length; |
125 | } | 117 | } |
@@ -135,14 +127,14 @@ static inline void strbuf_append_char_unsafe(strbuf_t *s, const char c) | |||
135 | s->buf[s->length++] = c; | 127 | s->buf[s->length++] = c; |
136 | } | 128 | } |
137 | 129 | ||
138 | static inline void strbuf_append_mem(strbuf_t *s, const char *c, int len) | 130 | static inline void strbuf_append_mem(strbuf_t *s, const char *c, size_t len) |
139 | { | 131 | { |
140 | strbuf_ensure_empty_length(s, len); | 132 | strbuf_ensure_empty_length(s, len); |
141 | memcpy(s->buf + s->length, c, len); | 133 | memcpy(s->buf + s->length, c, len); |
142 | s->length += len; | 134 | s->length += len; |
143 | } | 135 | } |
144 | 136 | ||
145 | static inline void strbuf_append_mem_unsafe(strbuf_t *s, const char *c, int len) | 137 | static inline void strbuf_append_mem_unsafe(strbuf_t *s, const char *c, size_t len) |
146 | { | 138 | { |
147 | memcpy(s->buf + s->length, c, len); | 139 | memcpy(s->buf + s->length, c, len); |
148 | s->length += len; | 140 | s->length += len; |
@@ -153,7 +145,7 @@ static inline void strbuf_ensure_null(strbuf_t *s) | |||
153 | s->buf[s->length] = 0; | 145 | s->buf[s->length] = 0; |
154 | } | 146 | } |
155 | 147 | ||
156 | static inline char *strbuf_string(strbuf_t *s, int *len) | 148 | static inline char *strbuf_string(strbuf_t *s, size_t *len) |
157 | { | 149 | { |
158 | if (len) | 150 | if (len) |
159 | *len = s->length; | 151 | *len = s->length; |