Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2023-12-21 13:37:51 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2023-12-21 13:37:51 -0300
commit: 5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree: 403a884f463dc02a64b85a8b454a6e5386109376 /lvm.c
parent: 842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
download: lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lvm.c b/lvm.c
index 4d71cfff..918ae64c 100644
--- a/lvm.c
+++ b/lvm.c
@@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
      /* collect total length and number of strings */
      for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
        size_t l = tsslen(tsvalue(s2v(top - n - 1)));
-        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+        if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
          L->top.p = top - total;  /* pop strings to avoid wasting stack */
          luaG_runerror(L, "string length overflow");
        }
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2023-12-21 13:37:51 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2023-12-21 13:37:51 -0300
commit	5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree	403a884f463dc02a64b85a8b454a6e5386109376 /lvm.c
parent	842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
download	lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2 lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip

diff --git a/lvm.c b/lvm.c index 4d71cfff..918ae64c 100644 --- a/lvm.c +++ b/lvm.c
@@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
661	/* collect total length and number of strings */	661	/* collect total length and number of strings */
662	for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {	662	for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
663	size_t l = tsslen(tsvalue(s2v(top - n - 1)));	663	size_t l = tsslen(tsvalue(s2v(top - n - 1)));
664	if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {	664	if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
665	L->top.p = top - total; /* pop strings to avoid wasting stack */	665	L->top.p = top - total; /* pop strings to avoid wasting stack */
666	luaG_runerror(L, "string length overflow");	666	luaG_runerror(L, "string length overflow");
667	}	667	}