1 files changed, 36 insertions, 0 deletions
diff --git a/bugs b/bugs
index 59af0765..5ad6f1c5 100644
--- a/bugs
+++ b/bugs
@@ -633,3 +633,39 @@ patch = [[
 ]],
 }
+-----------------------------------------------------------------
+-- Lua 5.0.2
+Bug{
+what = [[string concatenation may cause arithmetic overflow, leading
+to a buffer overflow]],
+report = [[Rici Lake, 20/05/2004]],
+example = [[
+longs = string.rep("\0", 2^25)
+function catter(i)
+    return assert(loadstring(
+      string.format("return function(a) return a%s end",
+                     string.rep("..a", i-1))))()
+end
+rep129 = catter(129)
+rep129(longs)
+]],
+patch = [[
+* lvm.c:
+329c329,331
+<         tl += tsvalue(top-n-1)->tsv.len;
+---
+>         size_t l = tsvalue(top-n-1)->tsv.len;
+>         if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+>         tl += l;
+332d333
+<       if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+]]
+}

diff --git a/bugs b/bugs index 59af0765..5ad6f1c5 100644 --- a/bugs +++ b/bugs
@@ -633,3 +633,39 @@ patch = [[
633	]],	633	]],
634		634
635	}	635	}
		636
		637
		638
		639	-----------------------------------------------------------------
		640	-- Lua 5.0.2
		641
		642	Bug{
		643	what = [[string concatenation may cause arithmetic overflow, leading
		644	to a buffer overflow]],
		645
		646	report = [[Rici Lake, 20/05/2004]],
		647
		648	example = [[
		649	longs = string.rep("\0", 2^25)
		650	function catter(i)
		651	return assert(loadstring(
		652	string.format("return function(a) return a%s end",
		653	string.rep("..a", i-1))))()
		654	end
		655	rep129 = catter(129)
		656	rep129(longs)
		657	]],
		658
		659	patch = [[
		660	* lvm.c:
		661	329c329,331
		662	< tl += tsvalue(top-n-1)->tsv.len;
		663	---
		664	> size_t l = tsvalue(top-n-1)->tsv.len;
		665	> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
		666	> tl += l;
		667	332d333
		668	< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
		669	]]
		670	}
		671