Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2023-12-21 13:37:51 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2023-12-21 13:37:51 -0300
commit: 5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree: 403a884f463dc02a64b85a8b454a6e5386109376 /lstring.c
parent: 842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
download: lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lstring.c b/lstring.c
index e921dd0f..97757355 100644
--- a/lstring.c
+++ b/lstring.c
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
    return internshrstr(L, str, l);
  else {
    TString *ts;
-    if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))
+    if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
      luaM_toobig(L);
    ts = luaS_createlngstrobj(L, l);
    memcpy(getlngstr(ts), str, l * sizeof(char));
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2023-12-21 13:37:51 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2023-12-21 13:37:51 -0300
commit	5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree	403a884f463dc02a64b85a8b454a6e5386109376 /lstring.c
parent	842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
download	lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2 lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip

diff --git a/lstring.c b/lstring.c index e921dd0f..97757355 100644 --- a/lstring.c +++ b/lstring.c
@@ -224,7 +224,7 @@ TString luaS_newlstr (lua_State L, const char *str, size_t l) {
224	return internshrstr(L, str, l);	224	return internshrstr(L, str, l);
225	else {	225	else {
226	TString *ts;	226	TString *ts;
227	if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))	227	if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
228	luaM_toobig(L);	228	luaM_toobig(L);
229	ts = luaS_createlngstrobj(L, l);	229	ts = luaS_createlngstrobj(L, l);
230	memcpy(getlngstr(ts), str, l * sizeof(char));	230	memcpy(getlngstr(ts), str, l * sizeof(char));