bugs: lua_checkstack may have arithmetic overflow for large 'size' +

unpack with maximum indices may crash due to arithmetic overflow
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2008-02-14 14:51:57 -0200
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2008-02-14 14:51:57 -0200
commit: 32d42bdcdc5d7115fea441244d334153b73b3a53 (patch)
tree: a71a96f34708fe04f79081015f45a376803e19f8 /bugs
parent: 843d53aabb1aa64ac55f95c1533ff29095ab585f (diff)
download: lua-32d42bdcdc5d7115fea441244d334153b73b3a53.tar.gz
lua-32d42bdcdc5d7115fea441244d334153b73b3a53.tar.bz2
lua-32d42bdcdc5d7115fea441244d334153b73b3a53.zip
1 files changed, 61 insertions, 0 deletions
diff --git a/bugs b/bugs
index bc55cee3..1dbca762 100644
--- a/bugs
+++ b/bugs
@@ -1736,6 +1736,67 @@ lbaselib.c:
 }
 Bug{
+what = [[lua_checkstack may have arithmetic overflow for large 'size']],
+report = [[Patrick Donnelly, on 2008/02/12]],
+since = [[5.0]],
+example = [[
+print(unpack({1,2,3}, 0, 2^31-3))
+]],
+patch = [[
+--- lapi.c      2008/01/03 15:20:39     2.55.1.3
+++ lapi.c      2008/02/14 16:05:21
+@@ -93,15 +93,14 @@
+ 
+ 
+ LUA_API int lua_checkstack (lua_State *L, int size) {
+-  int res;
+  int res = 1;
+   lua_lock(L);
+-  if ((L->top - L->base + size) > LUAI_MAXCSTACK)
+  if (size > LUAI_MAXCSTACK || (L->top - L->base + size) > LUAI_MAXCSTACK)
+     res = 0;  /* stack overflow */
+-  else {
+  else if (size > 0) {
+     luaD_checkstack(L, size);
+     if (L->ci->top < L->top + size)
+       L->ci->top = L->top + size;
+-    res = 1;
+   }
+   lua_unlock(L);
+   return res;
+]],
+}
+Bug{
+what = [[unpack with maximum indices may crash due to arithmetic overflow]],
+report = [[Patrick Donnelly, on 2008/02/12]],
+since = [[5.1]],
+example = [[
+print(unpack({1,2,3}, 2^31-1, 2^31-1))
+]],
+patch = [[
+--- lbaselib.c  2008/02/11 16:24:24     1.191.1.5
+++ lbaselib.c  2008/02/14 16:10:25
+@@ -344,10 +344,12 @@
+   luaL_checktype(L, 1, LUA_TTABLE);
+   i = luaL_optint(L, 2, 1);
+   e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
+  if (i > e) return 0;  /* empty range */
+   n = e - i + 1;  /* number of elements */
+-  if (n <= 0) return 0;  /* empty range */
+-  luaL_checkstack(L, n, "table too big to unpack");
+-  for (; i<=e; i++)  /* push arg[i...e] */
+  if (n <= 0 || !lua_checkstack(L, n))  /* n <= 0 means arith. overflow */
+    return luaL_error(L, "too many results to unpack");
+  lua_rawgeti(L, 1, i);  /* push arg[i] (avoiding overflow problems) */
+  while (i++ < e)  /* push arg[i + 1...e] */
+     lua_rawgeti(L, 1, i);
+   return n;
+ }
+]],
+}
+Bug{
 what = [[ ]],
 report = [[ , on ]],
 since = [[i ]],
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2008-02-14 14:51:57 -0200
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2008-02-14 14:51:57 -0200
commit	32d42bdcdc5d7115fea441244d334153b73b3a53 (patch)
tree	a71a96f34708fe04f79081015f45a376803e19f8 /bugs
parent	843d53aabb1aa64ac55f95c1533ff29095ab585f (diff)
download	lua-32d42bdcdc5d7115fea441244d334153b73b3a53.tar.gz lua-32d42bdcdc5d7115fea441244d334153b73b3a53.tar.bz2 lua-32d42bdcdc5d7115fea441244d334153b73b3a53.zip

diff --git a/bugs b/bugs index bc55cee3..1dbca762 100644 --- a/bugs +++ b/bugs
@@ -1736,6 +1736,67 @@ lbaselib.c:
1736	}	1736	}
1737		1737
1738	Bug{	1738	Bug{
		1739	what = [[lua_checkstack may have arithmetic overflow for large 'size']],
		1740	report = [[Patrick Donnelly, on 2008/02/12]],
		1741	since = [[5.0]],
		1742	example = [[
		1743	print(unpack({1,2,3}, 0, 2^31-3))
		1744	]],
		1745	patch = [[
		1746	--- lapi.c 2008/01/03 15:20:39 2.55.1.3
		1747	+++ lapi.c 2008/02/14 16:05:21
		1748	@@ -93,15 +93,14 @@
		1749
		1750
		1751	LUA_API int lua_checkstack (lua_State *L, int size) {
		1752	- int res;
		1753	+ int res = 1;
		1754	lua_lock(L);
		1755	- if ((L->top - L->base + size) > LUAI_MAXCSTACK)
		1756	+ if (size > LUAI_MAXCSTACK \|\| (L->top - L->base + size) > LUAI_MAXCSTACK)
		1757	res = 0; /* stack overflow */
		1758	- else {
		1759	+ else if (size > 0) {
		1760	luaD_checkstack(L, size);
		1761	if (L->ci->top < L->top + size)
		1762	L->ci->top = L->top + size;
		1763	- res = 1;
		1764	}
		1765	lua_unlock(L);
		1766	return res;
		1767	]],
		1768	}
		1769
		1770	Bug{
		1771	what = [[unpack with maximum indices may crash due to arithmetic overflow]],
		1772	report = [[Patrick Donnelly, on 2008/02/12]],
		1773	since = [[5.1]],
		1774	example = [[
		1775	print(unpack({1,2,3}, 2^31-1, 2^31-1))
		1776	]],
		1777	patch = [[
		1778	--- lbaselib.c 2008/02/11 16:24:24 1.191.1.5
		1779	+++ lbaselib.c 2008/02/14 16:10:25
		1780	@@ -344,10 +344,12 @@
		1781	luaL_checktype(L, 1, LUA_TTABLE);
		1782	i = luaL_optint(L, 2, 1);
		1783	e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
		1784	+ if (i > e) return 0; /* empty range */
		1785	n = e - i + 1; /* number of elements */
		1786	- if (n <= 0) return 0; /* empty range */
		1787	- luaL_checkstack(L, n, "table too big to unpack");
		1788	- for (; i<=e; i++) /* push arg[i...e] */
		1789	+ if (n <= 0 \|\| !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
		1790	+ return luaL_error(L, "too many results to unpack");
		1791	+ lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */
		1792	+ while (i++ < e) /* push arg[i + 1...e] */
		1793	lua_rawgeti(L, 1, i);
		1794	return n;
		1795	}
		1796	]],
		1797	}
		1798
		1799	Bug{
1739	what = [[ ]],	1800	what = [[ ]],
1740	report = [[ , on ]],	1801	report = [[ , on ]],
1741	since = [[i ]],	1802	since = [[i ]],