BUG: string concatenation may cause arithmetic overflow, leading

to a buffer overflow.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2004-06-08 13:23:58 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2004-06-08 13:23:58 -0300
commit: 9b854e6dbcf569113f68e63d87644b69eb00a228 (patch)
tree: 11eb6b8f2bc3fe0e9138a7eea97ac84c343280ff /lvm.c
parent: 2b2d8ecd7aba6cc7604532c53372db01a30618d3 (diff)
download: lua-9b854e6dbcf569113f68e63d87644b69eb00a228.tar.gz
lua-9b854e6dbcf569113f68e63d87644b69eb00a228.tar.bz2
lua-9b854e6dbcf569113f68e63d87644b69eb00a228.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/lvm.c b/lvm.c
index 44d77783..ffed66e3 100644
--- a/lvm.c
+++ b/lvm.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lvm.c,v 2.7 2004/05/31 18:51:50 roberto Exp roberto $
+** $Id: lvm.c,v 2.8 2004/06/02 19:07:55 roberto Exp roberto $
 ** Lua virtual machine
 ** See Copyright Notice in lua.h
 */
@@ -308,10 +308,11 @@ void luaV_concat (lua_State *L, int total, int last) {
      char *buffer;
      int i;
      while (n < total && tostring(L, top-n-1)) {  /* collect total length */
-        tl += tsvalue(top-n-1)->len;
+        size_t l = tsvalue(top-n-1)->len;
+        if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+        tl += l;
        n++;
      }
-      if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
      buffer = luaZ_openspace(L, &G(L)->buff, tl);
      tl = 0;
      for (i=n; i>0; i--) {  /* concat all strings */
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2004-06-08 13:23:58 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2004-06-08 13:23:58 -0300
commit	9b854e6dbcf569113f68e63d87644b69eb00a228 (patch)
tree	11eb6b8f2bc3fe0e9138a7eea97ac84c343280ff /lvm.c
parent	2b2d8ecd7aba6cc7604532c53372db01a30618d3 (diff)
download	lua-9b854e6dbcf569113f68e63d87644b69eb00a228.tar.gz lua-9b854e6dbcf569113f68e63d87644b69eb00a228.tar.bz2 lua-9b854e6dbcf569113f68e63d87644b69eb00a228.zip