aboutsummaryrefslogtreecommitdiff
path: root/lvm.c
diff options
context:
space:
mode:
authorRoberto Ierusalimschy <roberto@inf.puc-rio.br>2023-12-21 13:37:51 -0300
committerRoberto Ierusalimschy <roberto@inf.puc-rio.br>2023-12-21 13:37:51 -0300
commit5853c37a83ec66ccb45094f9aeac23dfdbcde671 (patch)
tree403a884f463dc02a64b85a8b454a6e5386109376 /lvm.c
parent842a83f09caa2ebd4bc03e0076420148ac07c808 (diff)
downloadlua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.gz
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.tar.bz2
lua-5853c37a83ec66ccb45094f9aeac23dfdbcde671.zip
Bug: Buffer overflow in string concatenation
Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
Diffstat (limited to 'lvm.c')
-rw-r--r--lvm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/lvm.c b/lvm.c
index 4d71cfff..918ae64c 100644
--- a/lvm.c
+++ b/lvm.c
@@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
661 /* collect total length and number of strings */ 661 /* collect total length and number of strings */
662 for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { 662 for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
663 size_t l = tsslen(tsvalue(s2v(top - n - 1))); 663 size_t l = tsslen(tsvalue(s2v(top - n - 1)));
664 if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { 664 if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
665 L->top.p = top - total; /* pop strings to avoid wasting stack */ 665 L->top.p = top - total; /* pop strings to avoid wasting stack */
666 luaG_runerror(L, "string length overflow"); 666 luaG_runerror(L, "string length overflow");
667 } 667 }