aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoberto Ierusalimschy <roberto@inf.puc-rio.br>2003-08-25 16:49:47 -0300
committerRoberto Ierusalimschy <roberto@inf.puc-rio.br>2003-08-25 16:49:47 -0300
commit64066359dda2a0920d307e901185faf78cc32b97 (patch)
tree9a96a621d304931cc8658cb4d92ee3592a9975d3
parent97af24ea3246dca0258ba7089cf2df7ac2080560 (diff)
downloadlua-64066359dda2a0920d307e901185faf78cc32b97.tar.gz
lua-64066359dda2a0920d307e901185faf78cc32b97.tar.bz2
lua-64066359dda2a0920d307e901185faf78cc32b97.zip
bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate
up to 60 characters in a `printf'. That causes a buffer overflow in `tostring'..
Diffstat
-rw-r--r--lbaselib.c27
-rw-r--r--liolib.c4
2 files changed, 19 insertions, 12 deletions
diff --git a/lbaselib.c b/lbaselib.c
index 4c761bbf..fd5c7428 100644
--- a/lbaselib.c
+++ b/lbaselib.c
@@ -1,5 +1,5 @@
1/* 1/*
2** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $ 2** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
3** Basic library 3** Basic library
4** See Copyright Notice in lua.h 4** See Copyright Notice in lua.h
5*/ 5*/
@@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {
324 324
325 325
326static int luaB_tostring (lua_State *L) { 326static int luaB_tostring (lua_State *L) {
327 char buff[64]; 327 char buff[4*sizeof(void *) + 2]; /* enough space for a `%p' */
328 const char *tn = "";
329 const void *p = NULL;
328 luaL_checkany(L, 1); 330 luaL_checkany(L, 1);
329 if (luaL_callmeta(L, 1, "__tostring")) /* is there a metafield? */ 331 if (luaL_callmeta(L, 1, "__tostring")) /* is there a metafield? */
330 return 1; /* use its value */ 332 return 1; /* use its value */
@@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
338 case LUA_TBOOLEAN: 340 case LUA_TBOOLEAN:
339 lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false")); 341 lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
340 return 1; 342 return 1;
343 case LUA_TNIL:
344 lua_pushliteral(L, "nil");
345 return 1;
341 case LUA_TTABLE: 346 case LUA_TTABLE:
342 sprintf(buff, "table: %p", lua_topointer(L, 1)); 347 p = lua_topointer(L, 1);
348 tn = "table";
343 break; 349 break;
344 case LUA_TFUNCTION: 350 case LUA_TFUNCTION:
345 sprintf(buff, "function: %p", lua_topointer(L, 1)); 351 p = lua_topointer(L, 1);
352 tn = "function";
346 break; 353 break;
347 case LUA_TUSERDATA: 354 case LUA_TUSERDATA:
348 case LUA_TLIGHTUSERDATA: 355 case LUA_TLIGHTUSERDATA:
349 sprintf(buff, "userdata: %p", lua_touserdata(L, 1)); 356 p = lua_touserdata(L, 1);
357 tn = "userdata";
350 break; 358 break;
351 case LUA_TTHREAD: 359 case LUA_TTHREAD:
352 sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1)); 360 p = lua_tothread(L, 1);
361 tn = "thread";
353 break; 362 break;
354 case LUA_TNIL:
355 lua_pushliteral(L, "nil");
356 return 1;
357 } 363 }
358 lua_pushstring(L, buff); 364 sprintf(buff, "%p", p);
365 lua_pushfstring(L, "%s: %s", tn, buff);
359 return 1; 366 return 1;
360} 367}
361 368
diff --git a/liolib.c b/liolib.c
index 45dc6cb3..112a1fce 100644
--- a/liolib.c
+++ b/liolib.c
@@ -1,5 +1,5 @@
1/* 1/*
2** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $ 2** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
3** Standard I/O (and system) library 3** Standard I/O (and system) library
4** See Copyright Notice in lua.h 4** See Copyright Notice in lua.h
5*/ 5*/
@@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {
152 152
153 153
154static int io_tostring (lua_State *L) { 154static int io_tostring (lua_State *L) {
155 char buff[32]; 155 char buff[4*sizeof(void *) + 2]; /* enough space for a `%p' */
156 FILE **f = topfile(L, 1); 156 FILE **f = topfile(L, 1);
157 if (*f == NULL) 157 if (*f == NULL)
158 strcpy(buff, "closed"); 158 strcpy(buff, "closed");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 22:02:04 +0000