better patch for buffer overflow error

author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2004-11-03 10:22:39 -0200
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2004-11-03 10:22:39 -0200
commit: cfd7bc478f21494c254a8ed514271dbe655721b0 (patch)
tree: 37d545ce12b1af5895027f25f092c6a93fac723f /bugs
parent: 737ec947d3f33e73e587f7020dba40b1818ac64d (diff)
download: lua-cfd7bc478f21494c254a8ed514271dbe655721b0.tar.gz
lua-cfd7bc478f21494c254a8ed514271dbe655721b0.tar.bz2
lua-cfd7bc478f21494c254a8ed514271dbe655721b0.zip
1 files changed, 22 insertions, 8 deletions
diff --git a/bugs b/bugs
index 2efc9aba..d4cae38d 100644
--- a/bugs
+++ b/bugs
@@ -658,14 +658,28 @@ rep129(longs)
 patch = [[
 * lvm.c:
-329c329,331
+@@ -321,15 +321,15 @@
-<         tl += tsvalue(top-n-1)->tsv.len;
+         luaG_concaterror(L, top-2, top-1);
---
+     } else if (tsvalue(top-1)->tsv.len > 0) {  /* if len=0, do nothing */
->         size_t l = tsvalue(top-n-1)->tsv.len;
+       /* at least two string values; get as many as possible */
->         if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+-      lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
->         tl += l;
+-                  cast(lu_mem, tsvalue(top-2)->tsv.len);
-332d333
+      size_t tl = tsvalue(top-1)->tsv.len;
-<       if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+       char *buffer;
+       int i;
+-      while (n < total && tostring(L, top-n-1)) {  /* collect total length */
+-        tl += tsvalue(top-n-1)->tsv.len;
+-        n++;
+      /* collect total length */
+      for (n = 1; n < total && tostring(L, top-n-1); n++) {
+        size_t l = tsvalue(top-n-1)->tsv.len;
+        if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+        tl += l;
+       }
+-      if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+       buffer = luaZ_openspace(L, &G(L)->buff, tl);
+       tl = 0;
+       for (i=n; i>0; i--) {  /* concat all strings */
 ]]
 }
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2004-11-03 10:22:39 -0200
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2004-11-03 10:22:39 -0200
commit	cfd7bc478f21494c254a8ed514271dbe655721b0 (patch)
tree	37d545ce12b1af5895027f25f092c6a93fac723f /bugs
parent	737ec947d3f33e73e587f7020dba40b1818ac64d (diff)
download	lua-cfd7bc478f21494c254a8ed514271dbe655721b0.tar.gz lua-cfd7bc478f21494c254a8ed514271dbe655721b0.tar.bz2 lua-cfd7bc478f21494c254a8ed514271dbe655721b0.zip