IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate

up to 60 characters in a `printf'. That causes a buffer overflow in `tostring'..
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2003-08-29 13:50:02 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2003-08-29 13:50:02 -0300
commit: 994a37c8e88d090421afb7ca639f01f868708452 (patch)
tree: 4e5d18829ef542e2f32c69dd3fe4af0c918a1e9e
parent: 0ff1596476f7e3f65cd5505d148d43baf58fbaac (diff)
download: lua-994a37c8e88d090421afb7ca639f01f868708452.tar.gz
lua-994a37c8e88d090421afb7ca639f01f868708452.tar.bz2
lua-994a37c8e88d090421afb7ca639f01f868708452.zip
1 files changed, 26 insertions, 2 deletions
diff --git a/bugs b/bugs
index 9e9df19b..d202ee22 100644
--- a/bugs
+++ b/bugs
@@ -445,13 +445,13 @@ for i=1,10000000 do
 end
 ]],
 patch = [[
-*lgc.h:
+* lgc.h:
 18c18
 < void luaC_separateudata (lua_State *L);
 ---
 > size_t luaC_separateudata (lua_State *L);
-*lgc.c:
+* lgc.c:
 113c113,114
 < void luaC_separateudata (lua_State *L) {
 ---
@@ -489,4 +489,28 @@ patch = [[
 ---
 >   checkSizes(L, deadmem);
 ]]
+}
+Bug{
+what=[[IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate
+up to 60 characters in a `printf'. That causes a buffer overflow in
+`tostring'.]],
+report = [[David Burgess, 25/08/2003]],
+example = [[print{}; (in an AS400 machine)]],
+patch = [[
+* liolib.c:
+178c178
+<   char buff[32];
+---
+>   char buff[128];
+* lbaselib.c:
+327c327
+<   char buff[64];
+---
+>   char buff[128];
+]]
+}
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2003-08-29 13:50:02 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2003-08-29 13:50:02 -0300
commit	994a37c8e88d090421afb7ca639f01f868708452 (patch)
tree	4e5d18829ef542e2f32c69dd3fe4af0c918a1e9e
parent	0ff1596476f7e3f65cd5505d148d43baf58fbaac (diff)
download	lua-994a37c8e88d090421afb7ca639f01f868708452.tar.gz lua-994a37c8e88d090421afb7ca639f01f868708452.tar.bz2 lua-994a37c8e88d090421afb7ca639f01f868708452.zip

diff --git a/bugs b/bugs index 9e9df19b..d202ee22 100644 --- a/bugs +++ b/bugs
@@ -445,13 +445,13 @@ for i=1,10000000 do
445	end	445	end
446	]],	446	]],
447	patch = [[	447	patch = [[
448	*lgc.h:	448	* lgc.h:
449	18c18	449	18c18
450	< void luaC_separateudata (lua_State *L);	450	< void luaC_separateudata (lua_State *L);
451	---	451	---
452	> size_t luaC_separateudata (lua_State *L);	452	> size_t luaC_separateudata (lua_State *L);
453		453
454	*lgc.c:	454	* lgc.c:
455	113c113,114	455	113c113,114
456	< void luaC_separateudata (lua_State *L) {	456	< void luaC_separateudata (lua_State *L) {
457	---	457	---
@@ -489,4 +489,28 @@ patch = [[
489	---	489	---
490	> checkSizes(L, deadmem);	490	> checkSizes(L, deadmem);
491	]]	491	]]
		492	}
		493
		494	Bug{
		495	what=[[IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate
		496	up to 60 characters in a `printf'. That causes a buffer overflow in
		497	`tostring'.]],
492		498
		499	report = [[David Burgess, 25/08/2003]],
		500
		501	example = [[print{}; (in an AS400 machine)]],
		502
		503	patch = [[
		504	* liolib.c:
		505	178c178
		506	< char buff[32];
		507	---
		508	> char buff[128];
		509
		510	* lbaselib.c:
		511	327c327
		512	< char buff[64];
		513	---
		514	> char buff[128];
		515	]]
		516	}