1 files changed, 94 insertions, 7 deletions
diff --git a/bugs b/bugs
index a52ba06d..b57de4fc 100644
--- a/bugs
+++ b/bugs
@@ -1806,7 +1806,51 @@ a = string.dump(function()return;end)
 a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)
 loadstring(a)()
 ]],
-patch = [[ ]],
+patch = [[
+--- ldebug.c    2007/12/28 15:32:23     2.29.1.3
+++ ldebug.c    2008/04/04 15:15:40
+@@ -275,12 +275,12 @@
+ 
+ static int precheck (const Proto *pt) {
+   check(pt->maxstacksize <= MAXSTACK);
+-  lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
+-  lua_assert(!(pt->is_vararg & VARARG_NEEDSARG) ||
+  check(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
+  check(!(pt->is_vararg & VARARG_NEEDSARG) ||
+               (pt->is_vararg & VARARG_HASARG));
+   check(pt->sizeupvalues <= pt->nups);
+   check(pt->sizelineinfo == pt->sizecode || pt->sizelineinfo == 0);
+-  check(GET_OPCODE(pt->code[pt->sizecode-1]) == OP_RETURN);
+  check(pt->sizecode > 0 && GET_OPCODE(pt->code[pt->sizecode-1]) == OP_RETURN);
+   return 1;
+ }
+ 
+@@ -363,7 +363,11 @@
+     }
+     switch (op) {
+       case OP_LOADBOOL: {
+-        check(c == 0 || pc+2 < pt->sizecode);  /* check its jump */
+        if (c == 1) {  /* does it jump? */
+          check(pc+2 < pt->sizecode);  /* check its jump */
+          check(GET_OPCODE(pt->code[pc+1]) != OP_SETLIST ||
+                GETARG_C(pt->code[pc+1]) != 0);
+        }
+         break;
+       }
+       case OP_LOADNIL: {
+@@ -428,7 +432,10 @@
+       }
+       case OP_SETLIST: {
+         if (b > 0) checkreg(pt, a + b);
+-        if (c == 0) pc++;
+        if (c == 0) {
+          pc++;
+          check(pc < pt->sizecode - 1);
+        }
+         break;
+       }
+       case OP_CLOSURE: {
+]],
 }
 Bug{
@@ -1845,14 +1889,57 @@ z = 'if 1+1==2 then local a={' .. table.concat(z) .. '} end'
 func = loadstring(z)
 print(loadstring(string.dump(func)))
 ]],
-patch = [[ ]],
+patch = [[
+--- ldebug.c    2008/04/04 15:30:05     2.29.1.4
+++ ldebug.c    2008/04/04 15:47:10
+@@ -346,9 +346,18 @@
+           int dest = pc+1+b;
+           check(0 <= dest && dest < pt->sizecode);
+           if (dest > 0) {
+-            /* cannot jump to a setlist count */
+-            Instruction d = pt->code[dest-1];
+-            check(!(GET_OPCODE(d) == OP_SETLIST && GETARG_C(d) == 0));
+            int j;
+            /* check that it does not jump to a setlist count; this
+               is tricky, because the count from a previous setlist may
+               have the same value of an invalid setlist; so, we must
+               go all the way back to the first of them (if any) */
+            for (j = 0; j < dest; j++) {
+              Instruction d = pt->code[dest-1];
+              if (!(GET_OPCODE(d) == OP_SETLIST && GETARG_C(d) == 0)) break;
+            }
+            /* if 'j' is even, previous value is not a setlist (even if
+               it looks like one) */
+            check((j&1) == 0);
+           }
+         }
+         break;
+]],
 }
 Bug{
-what = [[ ]],
+what = [[maliciously crafted precompiled code can inject invalid boolean
-report = [[ , on ]],
+values into Lua code]],
-since = [[i ]],
+report = [[Greg Falcon, on 2008/03/27]],
-example = [[ ]],
+since = [[5.0]],
-patch = [[ ]],
+example = [[
+maybe = string.dump(function() return ({[true]=true})[true] end)
+maybe = maybe:gsub('\1\1','\1\2')
+maybe = loadstring(maybe)()
+assert(type(maybe) == "boolean" and maybe ~= true and maybe ~= false)
+]],
+patch = [[
+--- lundump.c   2008/01/18 16:39:11     2.7.1.2
+++ lundump.c   2008/04/04 15:50:39
+@@ -115,7 +115,7 @@
+        setnilvalue(o);
+        break;
+    case LUA_TBOOLEAN:
+-       setbvalue(o,LoadChar(S));
+       setbvalue(o,LoadChar(S)!=0);
+        break;
+    case LUA_TNUMBER:
+        setnvalue(o,LoadNumber(S));
+]],
 }

diff --git a/bugs b/bugs index a52ba06d..b57de4fc 100644 --- a/bugs +++ b/bugs
@@ -1806,7 +1806,51 @@ a = string.dump(function()return;end)
1806	a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)	1806	a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)
1807	loadstring(a)()	1807	loadstring(a)()
1808	]],	1808	]],
1809	patch = [[ ]],	1809	patch = [[
		1810	--- ldebug.c 2007/12/28 15:32:23 2.29.1.3
		1811	+++ ldebug.c 2008/04/04 15:15:40
		1812	@@ -275,12 +275,12 @@
		1813
		1814	static int precheck (const Proto *pt) {
		1815	check(pt->maxstacksize <= MAXSTACK);
		1816	- lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
		1817	- lua_assert(!(pt->is_vararg & VARARG_NEEDSARG) \|\|
		1818	+ check(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
		1819	+ check(!(pt->is_vararg & VARARG_NEEDSARG) \|\|
		1820	(pt->is_vararg & VARARG_HASARG));
		1821	check(pt->sizeupvalues <= pt->nups);
		1822	check(pt->sizelineinfo == pt->sizecode \|\| pt->sizelineinfo == 0);
		1823	- check(GET_OPCODE(pt->code[pt->sizecode-1]) == OP_RETURN);
		1824	+ check(pt->sizecode > 0 && GET_OPCODE(pt->code[pt->sizecode-1]) == OP_RETURN);
		1825	return 1;
		1826	}
		1827
		1828	@@ -363,7 +363,11 @@
		1829	}
		1830	switch (op) {
		1831	case OP_LOADBOOL: {
		1832	- check(c == 0 \|\| pc+2 < pt->sizecode); /* check its jump */
		1833	+ if (c == 1) { /* does it jump? */
		1834	+ check(pc+2 < pt->sizecode); /* check its jump */
		1835	+ check(GET_OPCODE(pt->code[pc+1]) != OP_SETLIST \|\|
		1836	+ GETARG_C(pt->code[pc+1]) != 0);
		1837	+ }
		1838	break;
		1839	}
		1840	case OP_LOADNIL: {
		1841	@@ -428,7 +432,10 @@
		1842	}
		1843	case OP_SETLIST: {
		1844	if (b > 0) checkreg(pt, a + b);
		1845	- if (c == 0) pc++;
		1846	+ if (c == 0) {
		1847	+ pc++;
		1848	+ check(pc < pt->sizecode - 1);
		1849	+ }
		1850	break;
		1851	}
		1852	case OP_CLOSURE: {
		1853	]],
1810	}	1854	}
1811		1855
1812	Bug{	1856	Bug{
@@ -1845,14 +1889,57 @@ z = 'if 1+1==2 then local a={' .. table.concat(z) .. '} end'
1845	func = loadstring(z)	1889	func = loadstring(z)
1846	print(loadstring(string.dump(func)))	1890	print(loadstring(string.dump(func)))
1847	]],	1891	]],
1848	patch = [[ ]],	1892	patch = [[
		1893	--- ldebug.c 2008/04/04 15:30:05 2.29.1.4
		1894	+++ ldebug.c 2008/04/04 15:47:10
		1895	@@ -346,9 +346,18 @@
		1896	int dest = pc+1+b;
		1897	check(0 <= dest && dest < pt->sizecode);
		1898	if (dest > 0) {
		1899	- /* cannot jump to a setlist count */
		1900	- Instruction d = pt->code[dest-1];
		1901	- check(!(GET_OPCODE(d) == OP_SETLIST && GETARG_C(d) == 0));
		1902	+ int j;
		1903	+ /* check that it does not jump to a setlist count; this
		1904	+ is tricky, because the count from a previous setlist may
		1905	+ have the same value of an invalid setlist; so, we must
		1906	+ go all the way back to the first of them (if any) */
		1907	+ for (j = 0; j < dest; j++) {
		1908	+ Instruction d = pt->code[dest-1];
		1909	+ if (!(GET_OPCODE(d) == OP_SETLIST && GETARG_C(d) == 0)) break;
		1910	+ }
		1911	+ /* if 'j' is even, previous value is not a setlist (even if
		1912	+ it looks like one) */
		1913	+ check((j&1) == 0);
		1914	}
		1915	}
		1916	break;
		1917	]],
1849	}	1918	}
1850		1919
1851	Bug{	1920	Bug{
1852	what = [[ ]],	1921	what = [[maliciously crafted precompiled code can inject invalid boolean
1853	report = [[ , on ]],	1922	values into Lua code]],
1854	since = [[i ]],	1923	report = [[Greg Falcon, on 2008/03/27]],
1855	example = [[ ]],	1924	since = [[5.0]],
1856	patch = [[ ]],	1925	example = [[
		1926	maybe = string.dump(function() return ({[true]=true})[true] end)
		1927	maybe = maybe:gsub('\1\1','\1\2')
		1928	maybe = loadstring(maybe)()
		1929	assert(type(maybe) == "boolean" and maybe ~= true and maybe ~= false)
		1930	]],
		1931	patch = [[
		1932	--- lundump.c 2008/01/18 16:39:11 2.7.1.2
		1933	+++ lundump.c 2008/04/04 15:50:39
		1934	@@ -115,7 +115,7 @@
		1935	setnilvalue(o);
		1936	break;
		1937	case LUA_TBOOLEAN:
		1938	- setbvalue(o,LoadChar(S));
		1939	+ setbvalue(o,LoadChar(S)!=0);
		1940	break;
		1941	case LUA_TNUMBER:
		1942	setnvalue(o,LoadNumber(S));
		1943	]],
1857	}	1944	}
1858		1945