aboutsummaryrefslogtreecommitdiff
path: root/lstring.c
diff options
context:
space:
mode:
authorRoberto Ierusalimschy <roberto@inf.puc-rio.br>2023-12-21 13:37:51 -0300
committerRoberto Ierusalimschy <roberto@inf.puc-rio.br>2023-12-21 13:37:51 -0300
commit5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree403a884f463dc02a64b85a8b454a6e5386109376 /lstring.c
parent842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
downloadlua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip
Bug: Buffer overflow in string concatenation
Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
Diffstat (limited to 'lstring.c')
-rw-r--r--lstring.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/lstring.c b/lstring.c
index e921dd0f..97757355 100644
--- a/lstring.c
+++ b/lstring.c
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
224 return internshrstr(L, str, l); 224 return internshrstr(L, str, l);
225 else { 225 else {
226 TString *ts; 226 TString *ts;
227 if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char))) 227 if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
228 luaM_toobig(L); 228 luaM_toobig(L);
229 ts = luaS_createlngstrobj(L, l); 229 ts = luaS_createlngstrobj(L, l);
230 memcpy(getlngstr(ts), str, l * sizeof(char)); 230 memcpy(getlngstr(ts), str, l * sizeof(char));