From 2bfad8f5eeb821357d2ada29506e864ff7ec947e Mon Sep 17 00:00:00 2001
From: lijunlong <lijunlong@openresty.com>
Date: Thu, 20 Jul 2023 23:47:32 +0800
Subject: Bugfix: Lua cjson integer overflow issues (CVE-2022-24834) (#94)

* Fix integer overflows due to using wrong integer size.
* Add assertions / panic when overflow still happens.

Co-authored-by: Oran Agra <oran@redislabs.com>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
---
 lua_cjson.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'lua_cjson.c')

diff --git a/lua_cjson.c b/lua_cjson.c
index 42672de..363466c 100644
--- a/lua_cjson.c
+++ b/lua_cjson.c
@@ -40,6 +40,7 @@
 #include <stdint.h>
 #include <string.h>
 #include <math.h>
+#include <stdint.h>
 #include <limits.h>
 #include <lua.h>
 #include <lauxlib.h>
@@ -179,13 +180,13 @@ typedef struct {
 
 typedef struct {
     json_token_type_t type;
-    int index;
+    size_t index;
     union {
         const char *string;
         double number;
         int boolean;
     } value;
-    int string_len;
+    size_t string_len;
 } json_token_t;
 
 static const char *char2escape[256] = {
@@ -557,6 +558,8 @@ static void json_append_string(lua_State *l, strbuf_t *json, int lindex)
      * This buffer is reused constantly for small strings
      * If there are any excess pages, they won't be hit anyway.
      * This gains ~5% speedup. */
+    if (len > SIZE_MAX / 6 - 3)
+        abort(); /* Overflow check */
     strbuf_ensure_empty_length(json, len * 6 + 2);
 
     strbuf_append_char_unsafe(json, '\"');
@@ -848,7 +851,7 @@ static int json_encode(lua_State *l)
     strbuf_t local_encode_buf;
     strbuf_t *encode_buf;
     char *json;
-    int len;
+    size_t len;
 
     luaL_argcheck(l, lua_gettop(l) == 1, 1, "expected 1 argument");
 
-- 
cgit v1.2.3-55-g6feb