diff options
| author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-07-18 16:18:30 -0300 |
|---|---|---|
| committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-07-18 16:18:30 -0300 |
| commit | 303f4155593721dfd57dadc6e56122e465ce9efb (patch) | |
| tree | 2b723c2d744a53f96b0f067e5a39a15a7f9259ad /lvm.c | |
| parent | ccb8b307f11c7497e61f617b12f3a7f0a697256c (diff) | |
| download | lua-303f4155593721dfd57dadc6e56122e465ce9efb.tar.gz lua-303f4155593721dfd57dadc6e56122e465ce9efb.tar.bz2 lua-303f4155593721dfd57dadc6e56122e465ce9efb.zip | |
Randomness added to table length computation
A bad actor could fill only a few entries in a table (power of twos in
decreasing order, see tests) and produce a small table with a huge
length. If your program builds a table with external data and iterates
over its length, this behavior could be an issue.
Diffstat (limited to 'lvm.c')
| -rw-r--r-- | lvm.c | 2 |
1 files changed, 1 insertions, 1 deletions
| @@ -722,7 +722,7 @@ void luaV_objlen (lua_State *L, StkId ra, const TValue *rb) { | |||
| 722 | Table *h = hvalue(rb); | 722 | Table *h = hvalue(rb); |
| 723 | tm = fasttm(L, h->metatable, TM_LEN); | 723 | tm = fasttm(L, h->metatable, TM_LEN); |
| 724 | if (tm) break; /* metamethod? break switch to call it */ | 724 | if (tm) break; /* metamethod? break switch to call it */ |
| 725 | setivalue(s2v(ra), l_castU2S(luaH_getn(h))); /* else primitive len */ | 725 | setivalue(s2v(ra), l_castU2S(luaH_getn(L, h))); /* else primitive len */ |
| 726 | return; | 726 | return; |
| 727 | } | 727 | } |
| 728 | case LUA_VSHRSTR: { | 728 | case LUA_VSHRSTR: { |