diff options
| author | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-07-18 16:18:30 -0300 |
|---|---|---|
| committer | Roberto Ierusalimschy <roberto@inf.puc-rio.br> | 2025-07-18 16:18:30 -0300 |
| commit | 303f4155593721dfd57dadc6e56122e465ce9efb (patch) | |
| tree | 2b723c2d744a53f96b0f067e5a39a15a7f9259ad /testes | |
| parent | ccb8b307f11c7497e61f617b12f3a7f0a697256c (diff) | |
| download | lua-303f4155593721dfd57dadc6e56122e465ce9efb.tar.gz lua-303f4155593721dfd57dadc6e56122e465ce9efb.tar.bz2 lua-303f4155593721dfd57dadc6e56122e465ce9efb.zip | |
Randomness added to table length computation
A bad actor could fill only a few entries in a table (power of twos in
decreasing order, see tests) and produce a small table with a huge
length. If your program builds a table with external data and iterates
over its length, this behavior could be an issue.
Diffstat (limited to 'testes')
| -rw-r--r-- | testes/nextvar.lua | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/testes/nextvar.lua b/testes/nextvar.lua index 03810a8e..7e5bed56 100644 --- a/testes/nextvar.lua +++ b/testes/nextvar.lua | |||
| @@ -345,6 +345,18 @@ do | |||
| 345 | end | 345 | end |
| 346 | end | 346 | end |
| 347 | 347 | ||
| 348 | |||
| 349 | do print("testing attack on table length") | ||
| 350 | local t = {} | ||
| 351 | local lim = math.floor(math.log(math.maxinteger, 2)) - 1 | ||
| 352 | for i = lim, 0, -1 do | ||
| 353 | t[2^i] = true | ||
| 354 | end | ||
| 355 | assert(t[1 << lim]) | ||
| 356 | -- next loop should not take forever | ||
| 357 | for i = 1, #t do end | ||
| 358 | end | ||
| 359 | |||
| 348 | local nofind = {} | 360 | local nofind = {} |
| 349 | 361 | ||
| 350 | 362 | ||