diff options
| author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2004-08-17 14:45:45 -0300 |
|---|---|---|
| committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2004-08-17 14:45:45 -0300 |
| commit | 271e05917f7782db2301e04923423b00994c75db (patch) | |
| tree | dfd41b86c5cda2678873dc8d516b8fc76bcef98e | |
| parent | fe8c365281f0f23f24ea79357296b8b9c91b7fdb (diff) | |
| download | lua-271e05917f7782db2301e04923423b00994c75db.tar.gz lua-271e05917f7782db2301e04923423b00994c75db.tar.bz2 lua-271e05917f7782db2301e04923423b00994c75db.zip | |
bug: lua_getupvalue and setupvalue do not check for index too small.
| -rw-r--r-- | bugs | 21 | ||||
| -rw-r--r-- | lapi.c | 6 |
2 files changed, 24 insertions, 3 deletions
| @@ -669,3 +669,24 @@ patch = [[ | |||
| 669 | ]] | 669 | ]] |
| 670 | } | 670 | } |
| 671 | 671 | ||
| 672 | |||
| 673 | Bug{ | ||
| 674 | what = [[lua_getupvalue and setupvalue do not check for index too small]], | ||
| 675 | |||
| 676 | report = [[Mike Pall, ?/2004]], | ||
| 677 | |||
| 678 | example = [[debug.getupvalue(function() end, 0)]], | ||
| 679 | |||
| 680 | patch = [[ | ||
| 681 | * lapi.c | ||
| 682 | 941c941 | ||
| 683 | < if (n > f->c.nupvalues) return NULL; | ||
| 684 | --- | ||
| 685 | > if (!(1 <= n && n <= f->c.nupvalues)) return NULL; | ||
| 686 | 947c947 | ||
| 687 | < if (n > p->sizeupvalues) return NULL; | ||
| 688 | --- | ||
| 689 | > if (!(1 <= n && n <= p->sizeupvalues)) return NULL; | ||
| 690 | ]] | ||
| 691 | } | ||
| 692 | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | /* | 1 | /* |
| 2 | ** $Id: lapi.c,v 2.15 2004/08/10 19:17:23 roberto Exp roberto $ | 2 | ** $Id: lapi.c,v 2.16 2004/08/12 17:02:51 roberto Exp roberto $ |
| 3 | ** Lua API | 3 | ** Lua API |
| 4 | ** See Copyright Notice in lua.h | 4 | ** See Copyright Notice in lua.h |
| 5 | */ | 5 | */ |
| @@ -938,13 +938,13 @@ static const char *aux_upvalue (lua_State *L, StkId fi, int n, TValue **val) { | |||
| 938 | if (!ttisfunction(fi)) return NULL; | 938 | if (!ttisfunction(fi)) return NULL; |
| 939 | f = clvalue(fi); | 939 | f = clvalue(fi); |
| 940 | if (f->c.isC) { | 940 | if (f->c.isC) { |
| 941 | if (n > f->c.nupvalues) return NULL; | 941 | if (!(1 <= n && n <= f->c.nupvalues)) return NULL; |
| 942 | *val = &f->c.upvalue[n-1]; | 942 | *val = &f->c.upvalue[n-1]; |
| 943 | return ""; | 943 | return ""; |
| 944 | } | 944 | } |
| 945 | else { | 945 | else { |
| 946 | Proto *p = f->l.p; | 946 | Proto *p = f->l.p; |
| 947 | if (n > p->sizeupvalues) return NULL; | 947 | if (!(1 <= n && n <= p->sizeupvalues)) return NULL; |
| 948 | *val = f->l.upvals[n-1]->v; | 948 | *val = f->l.upvals[n-1]->v; |
| 949 | return getstr(p->upvalues[n-1]); | 949 | return getstr(p->upvalues[n-1]); |
| 950 | } | 950 | } |