bug: 'string.format("%f")' can cause a buffer overflow (with long doubles)

bug: 'debug.getlocal' on a coroutine suspended in a hook can crash the interpreter
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2015-02-20 16:21:29 -0200
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2015-02-20 16:21:29 -0200
commit: d51bdc166d144b3d81b01e2b97a5420978528e01 (patch)
tree: d346ee9ffd4e6d92bc49c75e5896dfdecf082a85
parent: 81245b1ad51c5f4a4dd71da272b65b2450929b80 (diff)
download: lua-d51bdc166d144b3d81b01e2b97a5420978528e01.tar.gz
lua-d51bdc166d144b3d81b01e2b97a5420978528e01.tar.bz2
lua-d51bdc166d144b3d81b01e2b97a5420978528e01.zip
1 files changed, 92 insertions, 2 deletions
diff --git a/bugs b/bugs
index 0d0c3b25..ecf93183 100644
--- a/bugs
+++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
 +++ lundump.c   2008/04/04 19:51:41     2.7.1.4
 @@ -1,5 +1,5 @@
 /*
-** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
+-** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
-+** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $
+** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
 ** load precompiled Lua chunks
 ** See Copyright Notice in lua.h
 */
@@ -3273,6 +3273,94 @@ patch = [[
 }
+-----------------------------------------------------------------
+-- Lua 5.3.0
+Bug{
+what = [['string.format("%f")' can cause a buffer overflow
+(only when 'lua_Number' is long double!)]],
+report = [[Roberto, 2015/01/13]],
+since = [[5.3]],
+fix = nil,
+example = [[string.format("%.99f", 1e4000)    -- when floats are long double]],
+patch = [[
+]]
+}
+Bug{
+what = [['debug.getlocal' on a coroutine suspended in a hook
+can crash the interpreter]],
+report = [[云风, 2015/02/11]],
+since = [[5.2]],
+fix = nil,
+example = [[see http://lua-users.org/lists/lua-l/2015-02/msg00146.html]],
+patch = [[
+--- ldebug.c    2015/01/02 12:52:22     2.110
+++ ldebug.c    2015/02/13 16:03:23
+@@ -1,4 +1,4 @@
+ /*
+-** $Id: ldebug.c,v 2.110 2015/01/02 12:52:22 roberto Exp $
+** $Id: ldebug.c,v 2.111 2015/02/13 16:01:17 roberto Exp $
+ ** Debug Interface
+ ** See Copyright Notice in lua.h
+@@ -49,4 +49,14 @@
+ 
+ 
+static void swapextra (lua_State *L) {
+  if (L->status == LUA_YIELD) {
+    CallInfo *ci = L->ci;  /* get function that yielded */
+    StkId temp = ci->func;  /* exchange its 'func' and 'extra' values */
+    ci->func = restorestack(L, ci->extra);
+    ci->extra = savestack(L, temp);
+  }
+}
+
+
+ /*
+ ** this function can be called asynchronous (e.g. during a signal)
+@@ -145,4 +155,5 @@
+   const char *name;
+   lua_lock(L);
+  swapextra(L);
+   if (ar == NULL) {  /* information about non-active function? */
+     if (!isLfunction(L->top - 1))  /* not a Lua function? */
+@@ -159,4 +170,5 @@
+     }
+   }
+  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -166,10 +178,13 @@
+ LUA_API const char *lua_setlocal (lua_State *L, const lua_Debug *ar, int n) {
+   StkId pos = 0;  /* to avoid warnings */
+-  const char *name = findlocal(L, ar->i_ci, n, &pos);
+  const char *name;
+   lua_lock(L);
+  swapextra(L);
+  name = findlocal(L, ar->i_ci, n, &pos);
+   if (name) {
+     setobjs2s(L, pos, L->top - 1);
+     L->top--;  /* pop value */
+   }
+  swapextra(L);
+   lua_unlock(L);
+   return name;
+@@ -271,4 +286,5 @@
+   StkId func;
+   lua_lock(L);
+  swapextra(L);
+   if (*what == '>') {
+     ci = NULL;
+@@ -289,4 +305,5 @@
+     api_incr_top(L);
+   }
+  swapextra(L);
+   if (strchr(what, 'L'))
+     collectvalidlines(L, cl);
+]]
+}
 --[=[
 Bug{
 what = [[ ]],
@@ -3284,3 +3372,5 @@ patch = [[
 ]]
 }
 ]=]
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2015-02-20 16:21:29 -0200
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2015-02-20 16:21:29 -0200
commit	d51bdc166d144b3d81b01e2b97a5420978528e01 (patch)
tree	d346ee9ffd4e6d92bc49c75e5896dfdecf082a85
parent	81245b1ad51c5f4a4dd71da272b65b2450929b80 (diff)
download	lua-d51bdc166d144b3d81b01e2b97a5420978528e01.tar.gz lua-d51bdc166d144b3d81b01e2b97a5420978528e01.tar.bz2 lua-d51bdc166d144b3d81b01e2b97a5420978528e01.zip

diff --git a/bugs b/bugs index 0d0c3b25..ecf93183 100644 --- a/bugs +++ b/bugs
@@ -1880,8 +1880,8 @@ patch = [[
1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4	1880	+++ lundump.c 2008/04/04 19:51:41 2.7.1.4
1881	@@ -1,5 +1,5 @@	1881	@@ -1,5 +1,5 @@
1882	/*	1882	/*
1883	-** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $	1883	-** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
1884	+** $Id: bugs,v 1.133 2014/09/01 16:56:01 roberto Exp roberto $	1884	+** $Id: bugs,v 1.134 2015/02/09 17:57:45 roberto Exp roberto $
1885	** load precompiled Lua chunks	1885	** load precompiled Lua chunks
1886	** See Copyright Notice in lua.h	1886	** See Copyright Notice in lua.h
1887	*/	1887	*/
@@ -3273,6 +3273,94 @@ patch = [[
3273	}	3273	}
3274		3274
3275		3275
		3276	-----------------------------------------------------------------
		3277	-- Lua 5.3.0
		3278
		3279	Bug{
		3280	what = [['string.format("%f")' can cause a buffer overflow
		3281	(only when 'lua_Number' is long double!)]],
		3282	report = [[Roberto, 2015/01/13]],
		3283	since = [[5.3]],
		3284	fix = nil,
		3285	example = [[string.format("%.99f", 1e4000) -- when floats are long double]],
		3286	patch = [[
		3287	]]
		3288	}
		3289
		3290	Bug{
		3291	what = [['debug.getlocal' on a coroutine suspended in a hook
		3292	can crash the interpreter]],
		3293	report = [[云风, 2015/02/11]],
		3294	since = [[5.2]],
		3295	fix = nil,
		3296	example = [[see http://lua-users.org/lists/lua-l/2015-02/msg00146.html]],
		3297	patch = [[
		3298	--- ldebug.c 2015/01/02 12:52:22 2.110
		3299	+++ ldebug.c 2015/02/13 16:03:23
		3300	@@ -1,4 +1,4 @@
		3301	/*
		3302	-** $Id: ldebug.c,v 2.110 2015/01/02 12:52:22 roberto Exp $
		3303	+** $Id: ldebug.c,v 2.111 2015/02/13 16:01:17 roberto Exp $
		3304	** Debug Interface
		3305	** See Copyright Notice in lua.h
		3306	@@ -49,4 +49,14 @@
		3307
		3308
		3309	+static void swapextra (lua_State *L) {
		3310	+ if (L->status == LUA_YIELD) {
		3311	+ CallInfo ci = L->ci; / get function that yielded */
		3312	+ StkId temp = ci->func; /* exchange its 'func' and 'extra' values */
		3313	+ ci->func = restorestack(L, ci->extra);
		3314	+ ci->extra = savestack(L, temp);
		3315	+ }
		3316	+}
		3317	+
		3318	+
		3319	/*
		3320	** this function can be called asynchronous (e.g. during a signal)
		3321	@@ -145,4 +155,5 @@
		3322	const char *name;
		3323	lua_lock(L);
		3324	+ swapextra(L);
		3325	if (ar == NULL) { /* information about non-active function? */
		3326	if (!isLfunction(L->top - 1)) /* not a Lua function? */
		3327	@@ -159,4 +170,5 @@
		3328	}
		3329	}
		3330	+ swapextra(L);
		3331	lua_unlock(L);
		3332	return name;
		3333	@@ -166,10 +178,13 @@
		3334	LUA_API const char lua_setlocal (lua_State L, const lua_Debug *ar, int n) {
		3335	StkId pos = 0; /* to avoid warnings */
		3336	- const char *name = findlocal(L, ar->i_ci, n, &pos);
		3337	+ const char *name;
		3338	lua_lock(L);
		3339	+ swapextra(L);
		3340	+ name = findlocal(L, ar->i_ci, n, &pos);
		3341	if (name) {
		3342	setobjs2s(L, pos, L->top - 1);
		3343	L->top--; /* pop value */
		3344	}
		3345	+ swapextra(L);
		3346	lua_unlock(L);
		3347	return name;
		3348	@@ -271,4 +286,5 @@
		3349	StkId func;
		3350	lua_lock(L);
		3351	+ swapextra(L);
		3352	if (*what == '>') {
		3353	ci = NULL;
		3354	@@ -289,4 +305,5 @@
		3355	api_incr_top(L);
		3356	}
		3357	+ swapextra(L);
		3358	if (strchr(what, 'L'))
		3359	collectvalidlines(L, cl);
		3360	]]
		3361	}
		3362
		3363
3276	--[=[	3364	--[=[
3277	Bug{	3365	Bug{
3278	what = [[ ]],	3366	what = [[ ]],
@@ -3284,3 +3372,5 @@ patch = [[
3284	]]	3372	]]
3285	}	3373	}
3286	]=]	3374	]=]
		3375
		3376