diff options
author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2023-12-21 13:37:51 -0300 |
---|---|---|
committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2023-12-21 13:37:51 -0300 |
commit | 5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch) | |
tree | 403a884f463dc02a64b85a8b454a6e5386109376 /lstring.c | |
parent | 842a83f09caa2ebd4bc03e0076420148ac07c808 (diff) | |
download | lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2 lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip |
Bug: Buffer overflow in string concatenation
Even if the string fits in size_t, the whole size of the TString object
can overflow when we add the header.
Diffstat (limited to 'lstring.c')
-rw-r--r-- | lstring.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) { | |||
224 | return internshrstr(L, str, l); | 224 | return internshrstr(L, str, l); |
225 | else { | 225 | else { |
226 | TString *ts; | 226 | TString *ts; |
227 | if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char))) | 227 | if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString)))) |
228 | luaM_toobig(L); | 228 | luaM_toobig(L); |
229 | ts = luaS_createlngstrobj(L, l); | 229 | ts = luaS_createlngstrobj(L, l); |
230 | memcpy(getlngstr(ts), str, l * sizeof(char)); | 230 | memcpy(getlngstr(ts), str, l * sizeof(char)); |