From f71156744851701b5d5fabdda5061b31e53f8f14 Mon Sep 17 00:00:00 2001 From: Roberto Ierusalimschy Date: Tue, 17 Jun 2025 11:40:49 -0300 Subject: Check string indices when loading binary chunk Lua is not religious about that, but it tries to avoid crashes when loading binary chunks. --- lundump.c | 12 ++++++------ manual/manual.of | 12 +++++------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/lundump.c b/lundump.c index 10528987..ade40384 100644 --- a/lundump.c +++ b/lundump.c @@ -154,8 +154,9 @@ static void loadString (LoadState *S, Proto *p, TString **sl) { else if (size == 1) { /* previously saved string? */ lua_Unsigned idx = loadVarint(S, LUA_MAXUNSIGNED); /* get its index */ TValue stv; - luaH_getint(S->h, l_castU2S(idx), &stv); /* get its value */ - *sl = ts = tsvalue(&stv); + if (novariant(luaH_getint(S->h, l_castU2S(idx), &stv)) != LUA_TSTRING) + error(S, "invalid string index"); + *sl = ts = tsvalue(&stv); /* get its value */ luaC_objbarrier(L, p, ts); return; /* do not save it again */ } @@ -394,11 +395,10 @@ LClosure *luaU_undump (lua_State *L, ZIO *Z, const char *name, int fixed) { LoadState S; LClosure *cl; if (*name == '@' || *name == '=') - S.name = name + 1; + name = name + 1; else if (*name == LUA_SIGNATURE[0]) - S.name = "binary string"; - else - S.name = name; + name = "binary string"; + S.name = name; S.L = L; S.Z = Z; S.fixed = cast_byte(fixed); diff --git a/manual/manual.of b/manual/manual.of index baa33d88..5bab781b 100644 --- a/manual/manual.of +++ b/manual/manual.of @@ -1403,8 +1403,7 @@ see the program @idx{luac} and the function @Lid{string.dump} for details. Programs in source and compiled forms are interchangeable; Lua automatically detects the file type and acts accordingly @seeF{load}. Be aware that, unlike source code, -the execution of maliciously crafted -bytecode can crash the interpreter. +maliciously crafted binary chunks can crash the interpreter. } @@ -6694,11 +6693,10 @@ It may be the string @St{b} (only @x{binary chunk}s), or @St{bt} (both binary and text). The default is @St{bt}. -It is safe to load malformed binary chunks; -@id{load} signals an appropriate error. -However, -Lua does not check the consistency of the code inside binary chunks; -running maliciously crafted bytecode can crash the interpreter. +Lua does not check the consistency of binary chunks. +Maliciously crafted binary chunks can crash +the interpreter. +You can use the @id{mode} parameter to prevent loading binary chunks. } -- cgit v1.2.3-55-g6feb