From 57f5b81da9f1f23380d20f164012e10c5f4fef94 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Fri, 14 Dec 2018 13:12:01 -0200
Subject: Bug: Long brackets with a huge number of '=' causes overflow

A long bracket with too many equal signs can overflow the 'int' used for
the counting and some arithmetic done on the value. Changing the counter
to 'size_t' avoids that. (Because what is counted goes to a buffer, an
overflow in the counter will first raise a buffer-overflow error.)
---
 bugs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'bugs')

diff --git a/bugs b/bugs
index d7a717c3..a965025b 100644
--- a/bugs
+++ b/bugs
@@ -4017,6 +4017,25 @@ patch = [[
 
 
 
+--[=[
+Bug{
+what = [[Long brackets with a huge number of '=' overflow some
+internal buffer arithmetic]],
+report = [[Marco, 2018/12/12]],
+since = [[5.1]],
+fix = nil,
+example = [[
+local eqs = string.rep("=", 0x3ffffffe)
+local code = "return [" .. eqs .. "[a]" .. eqs .. "]"
+print(#assert(load(code))())
+]],
+patch = [[
+]]
+}
+]=]
+
+
+
 
 --[=[
 Bug{
-- 
cgit v1.2.3-55-g6feb