BUG: string concatenation may cause arithmetic overflow, leading

to a buffer overflow.

2 files changed, 40 insertions, 3 deletions

diff --git a/bugs b/bugs
index 59af0765..5ad6f1c5 100644
--- a/bugs
+++ b/bugs
@@ -633,3 +633,39 @@ patch = [[
 ]],
 
 }
+
+
+
+-----------------------------------------------------------------
+-- Lua 5.0.2
+
+Bug{
+what = [[string concatenation may cause arithmetic overflow, leading
+to a buffer overflow]],
+
+report = [[Rici Lake, 20/05/2004]],
+
+example = [[
+longs = string.rep("\0", 2^25)
+function catter(i)
+    return assert(loadstring(
+      string.format("return function(a) return a%s end",
+                     string.rep("..a", i-1))))()
+end
+rep129 = catter(129)
+rep129(longs)
+]],
+
+patch = [[
+* lvm.c:
+329c329,331
+<         tl += tsvalue(top-n-1)->tsv.len;
+---
+>         size_t l = tsvalue(top-n-1)->tsv.len;
+>         if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+>         tl += l;
+332d333
+<       if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+]]
+}
+
diff --git a/lvm.c b/lvm.c
index 44d77783..ffed66e3 100644
--- a/lvm.c
+++ b/lvm.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lvm.c,v 2.7 2004/05/31 18:51:50 roberto Exp roberto $
+** $Id: lvm.c,v 2.8 2004/06/02 19:07:55 roberto Exp roberto $
 ** Lua virtual machine
 ** See Copyright Notice in lua.h
 */
@@ -308,10 +308,11 @@ void luaV_concat (lua_State *L, int total, int last) {
       char *buffer;
       int i;
       while (n < total && tostring(L, top-n-1)) {  /* collect total length */
-        tl += tsvalue(top-n-1)->len;
+        size_t l = tsvalue(top-n-1)->len;
+        if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+        tl += l;
         n++;
       }
-      if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
       buffer = luaZ_openspace(L, &G(L)->buff, tl);
       tl = 0;
       for (i=n; i>0; i--) {  /* concat all strings */