aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoberto Ierusalimschy <roberto@inf.puc-rio.br>2007-07-31 16:39:52 -0300
committerRoberto Ierusalimschy <roberto@inf.puc-rio.br>2007-07-31 16:39:52 -0300
commitf6a81dbe9770f0e64d04b4e7be17c826d53253aa (patch)
treeb793122f3eeff25b2b7146d9261c79b66f152a1f
parent3904a66ab0ea441504afb74160fb6ff5efd8d33b (diff)
downloadlua-f6a81dbe9770f0e64d04b4e7be17c826d53253aa.tar.gz
lua-f6a81dbe9770f0e64d04b4e7be17c826d53253aa.tar.bz2
lua-f6a81dbe9770f0e64d04b4e7be17c826d53253aa.zip
BUG: too many variables in an assignment may cause a C stack overflow
Diffstat
-rw-r--r--bugs28
-rw-r--r--lparser.c8
2 files changed, 33 insertions, 3 deletions
diff --git a/bugs b/bugs
index f1af3721..d58e92f4 100644
--- a/bugs
+++ b/bugs
@@ -1382,6 +1382,11 @@ patch = [[remove the '#include "lobject.h" and use
1382'lua_pushfstring' instead of 'luaO_pushfstring']], 1382'lua_pushfstring' instead of 'luaO_pushfstring']],
1383} 1383}
1384 1384
1385
1386
1387-----------------------------------------------------------------
1388-- Lua 5.1.2
1389
1385Bug{ 1390Bug{
1386what = [[Lua may close standard files, 1391what = [[Lua may close standard files,
1387which then may be used by C]], 1392which then may be used by C]],
@@ -1493,6 +1498,29 @@ ltable.c:
1493} 1498}
1494 1499
1495Bug{ 1500Bug{
1501what = [[Too many variables in an assignment may cause a
1502C stack overflow]],
1503report = [[Mike Pall, on 07/2007]],
1504since = [[5.0]],
1505example = [[
1506$ ulimit -s 1024 # Reduce C stack to 1MB for quicker results
1507$ lua -e 'local s = "a,"; for i=1,18 do s = s..s end print(loadstring("local a "..s.."a=nil", ""))'
1508]],
1509patch = [[
1510lparser.c:
1511@@ -938,6 +938,8 @@
1512 primaryexp(ls, &nv.v);
1513 if (nv.v.k == VLOCAL)
1514 check_conflict(ls, lh, &nv.v);
1515+ luaY_checklimit(ls->fs, nvars, LUAI_MAXCCALLS - ls->L->nCcalls,
1516+ "variable names");
1517 assignment(ls, &nv, nvars+1);
1518 }
1519 else { /* assignment -> `=' explist1 */
1520]],
1521}
1522
1523Bug{
1496what = [[ ]], 1524what = [[ ]],
1497report = [[ , on ]], 1525report = [[ , on ]],
1498since = [[i ]], 1526since = [[i ]],
diff --git a/lparser.c b/lparser.c
index 8468ab0e..648a7437 100644
--- a/lparser.c
+++ b/lparser.c
@@ -1,5 +1,5 @@
1/* 1/*
2** $Id: lparser.c,v 2.52 2007/03/27 14:11:38 roberto Exp roberto $ 2** $Id: lparser.c,v 2.53 2007/05/11 17:28:56 roberto Exp roberto $
3** Lua Parser 3** Lua Parser
4** See Copyright Notice in lua.h 4** See Copyright Notice in lua.h
5*/ 5*/
@@ -73,8 +73,8 @@ static void errorlimit (FuncState *fs, int limit, const char *what) {
73 const char *where = (fs->f->linedefined == 0) ? 73 const char *where = (fs->f->linedefined == 0) ?
74 "main function" : 74 "main function" :
75 luaO_pushfstring(fs->L, "function at line %d", fs->f->linedefined); 75 luaO_pushfstring(fs->L, "function at line %d", fs->f->linedefined);
76 msg = luaO_pushfstring(fs->L, "too many %s in %s (limit is %d)", 76 msg = luaO_pushfstring(fs->L, "too many %s (limit is %d) in %s",
77 what, where, limit); 77 what, limit, where);
78 luaX_lexerror(fs->ls, msg, fs->ls->t.token); 78 luaX_lexerror(fs->ls, msg, fs->ls->t.token);
79} 79}
80 80
@@ -946,6 +946,8 @@ static void assignment (LexState *ls, struct LHS_assign *lh, int nvars) {
946 primaryexp(ls, &nv.v); 946 primaryexp(ls, &nv.v);
947 if (nv.v.k == VLOCAL) 947 if (nv.v.k == VLOCAL)
948 check_conflict(ls, lh, &nv.v); 948 check_conflict(ls, lh, &nv.v);
949 luaY_checklimit(ls->fs, nvars, LUAI_MAXCCALLS - G(ls->L)->nCcalls,
950 "variable names");
949 assignment(ls, &nv, nvars+1); 951 assignment(ls, &nv, nvars+1);
950 } 952 }
951 else { /* assignment -> `=' explist1 */ 953 else { /* assignment -> `=' explist1 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:20:45 +0000