malicious zero-length string in binary code may segfault Lua +

wrong code generation for some particular boolean expressions
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2009-04-27 17:11:11 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2009-04-27 17:11:11 -0300
commit: 58c3aa8b5f51194980a9abf463a2648bb1413925 (patch)
tree: df81fcd2496b56e94850a451f6f100b97305fe9b
parent: c1f78ff3d32298fbae950bf655bdca11179343ce (diff)
download: lua-58c3aa8b5f51194980a9abf463a2648bb1413925.tar.gz
lua-58c3aa8b5f51194980a9abf463a2648bb1413925.tar.bz2
lua-58c3aa8b5f51194980a9abf463a2648bb1413925.zip
1 files changed, 30 insertions, 2 deletions
diff --git a/bugs b/bugs
index e76692b0..41c5f83e 100644
--- a/bugs
+++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
 +++ lundump.c   2008/04/04 19:51:41     2.7.1.4
 @@ -1,5 +1,5 @@
 /*
-** $Id: bugs,v 1.97 2008/07/11 17:27:41 roberto Exp roberto $
+-** $Id: bugs,v 1.98 2008/08/06 13:32:45 roberto Exp roberto $
-+** $Id: bugs,v 1.97 2008/07/11 17:27:41 roberto Exp roberto $
+** $Id: bugs,v 1.98 2008/08/06 13:32:45 roberto Exp roberto $
 ** load precompiled Lua chunks
 ** See Copyright Notice in lua.h
 */
@@ -2077,3 +2077,31 @@ patch = [[
 ]],
 }
+-----------------------------------------------------------------
+-- Lua 5.1.4
+Bug{
+what = [[malicious zero-length string in binary code may segfault Lua]],
+report = [["Peter Cawley, on 2008/09/01]],
+since = [[5.1]],
+example = [[
+loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()
+]],
+patch = [[
+]],
+}
+Bug{
+what = [[wrong code generation for some particular boolean expressions]],
+report = [["Brian Kelley, on 2009/04/15]],
+since = [[5.0]],
+example = [[
+print(((1 or false) and true) or false)   --> 1
+-- should be 'true'
+]],
+patch = [[
+]],
+}
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2009-04-27 17:11:11 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2009-04-27 17:11:11 -0300
commit	58c3aa8b5f51194980a9abf463a2648bb1413925 (patch)
tree	df81fcd2496b56e94850a451f6f100b97305fe9b
parent	c1f78ff3d32298fbae950bf655bdca11179343ce (diff)
download	lua-58c3aa8b5f51194980a9abf463a2648bb1413925.tar.gz lua-58c3aa8b5f51194980a9abf463a2648bb1413925.tar.bz2 lua-58c3aa8b5f51194980a9abf463a2648bb1413925.zip

diff --git a/bugs b/bugs index e76692b0..41c5f83e 100644 --- a/bugs +++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4	1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4
1881	@@ -1,5 +1,5 @@	1881	@@ -1,5 +1,5 @@
1882	/*	1882	/*
1883	-** $Id: bugs,v 1.97 2008/07/11 17:27:41 roberto Exp roberto $	1883	-** $Id: bugs,v 1.98 2008/08/06 13:32:45 roberto Exp roberto $
1884	+** $Id: bugs,v 1.97 2008/07/11 17:27:41 roberto Exp roberto $	1884	+** $Id: bugs,v 1.98 2008/08/06 13:32:45 roberto Exp roberto $
1885	** load precompiled Lua chunks	1885	** load precompiled Lua chunks
1886	** See Copyright Notice in lua.h	1886	** See Copyright Notice in lua.h
1887	*/	1887	*/
@@ -2077,3 +2077,31 @@ patch = [[
2077	]],	2077	]],
2078	}	2078	}
2079		2079
		2080
		2081	-----------------------------------------------------------------
		2082	-- Lua 5.1.4
		2083
		2084	Bug{
		2085	what = [[malicious zero-length string in binary code may segfault Lua]],
		2086	report = [["Peter Cawley, on 2008/09/01]],
		2087	since = [[5.1]],
		2088	example = [[
		2089	loadstring(('').dump(function()X''end):gsub('\2%z%z%zX','\0\0\0'))()
		2090	]],
		2091	patch = [[
		2092	]],
		2093	}
		2094
		2095
		2096	Bug{
		2097	what = [[wrong code generation for some particular boolean expressions]],
		2098	report = [["Brian Kelley, on 2009/04/15]],
		2099	since = [[5.0]],
		2100	example = [[
		2101	print(((1 or false) and true) or false) --> 1
		2102	-- should be 'true'
		2103	]],
		2104	patch = [[
		2105	]],
		2106	}
		2107