diff options
| author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2018-12-14 13:12:01 -0200 |
|---|---|---|
| committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2018-12-14 13:12:01 -0200 |
| commit | 57f5b81da9f1f23380d20f164012e10c5f4fef94 (patch) | |
| tree | f626d12697bfec8bba9290a0f11b29f71705eaab /bugs | |
| parent | fdc25a1ebfe9968dcec390dd556375105aa0be40 (diff) | |
| download | lua-57f5b81da9f1f23380d20f164012e10c5f4fef94.tar.gz lua-57f5b81da9f1f23380d20f164012e10c5f4fef94.tar.bz2 lua-57f5b81da9f1f23380d20f164012e10c5f4fef94.zip | |
Bug: Long brackets with a huge number of '=' causes overflow
A long bracket with too many equal signs can overflow the 'int' used for
the counting and some arithmetic done on the value. Changing the counter
to 'size_t' avoids that. (Because what is counted goes to a buffer, an
overflow in the counter will first raise a buffer-overflow error.)
Diffstat (limited to 'bugs')
| -rw-r--r-- | bugs | 19 |
1 files changed, 19 insertions, 0 deletions
| @@ -4017,6 +4017,25 @@ patch = [[ | |||
| 4017 | 4017 | ||
| 4018 | 4018 | ||
| 4019 | 4019 | ||
| 4020 | --[=[ | ||
| 4021 | Bug{ | ||
| 4022 | what = [[Long brackets with a huge number of '=' overflow some | ||
| 4023 | internal buffer arithmetic]], | ||
| 4024 | report = [[Marco, 2018/12/12]], | ||
| 4025 | since = [[5.1]], | ||
| 4026 | fix = nil, | ||
| 4027 | example = [[ | ||
| 4028 | local eqs = string.rep("=", 0x3ffffffe) | ||
| 4029 | local code = "return [" .. eqs .. "[a]" .. eqs .. "]" | ||
| 4030 | print(#assert(load(code))()) | ||
| 4031 | ]], | ||
| 4032 | patch = [[ | ||
| 4033 | ]] | ||
| 4034 | } | ||
| 4035 | ]=] | ||
| 4036 | |||
| 4037 | |||
| 4038 | |||
| 4020 | 4039 | ||
| 4021 | --[=[ | 4040 | --[=[ |
| 4022 | Bug{ | 4041 | Bug{ |