From 5ac3386888347cb4d9b3ffc6d5abd1a4cfc8d1c9 Mon Sep 17 00:00:00 2001 From: Roberto Ierusalimschy Date: Thu, 14 Feb 2008 14:03:09 -0200 Subject: bug: unpack with maximum indices may crash due to arithmetic overflow --- lbaselib.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'lbaselib.c') diff --git a/lbaselib.c b/lbaselib.c index 538cc5d0..a6a674c7 100644 --- a/lbaselib.c +++ b/lbaselib.c @@ -1,5 +1,5 @@ /* -** $Id: lbaselib.c,v 1.202 2008/01/03 17:07:59 roberto Exp roberto $ +** $Id: lbaselib.c,v 1.203 2008/02/11 19:14:52 roberto Exp roberto $ ** Basic library ** See Copyright Notice in lua.h */ @@ -353,10 +353,12 @@ static int luaB_unpack (lua_State *L) { luaL_checktype(L, 1, LUA_TTABLE); i = luaL_optint(L, 2, 1); e = luaL_opt(L, luaL_checkint, 3, (int)lua_objlen(L, 1)); + if (i > e) return 0; /* empty range */ n = e - i + 1; /* number of elements */ - if (n <= 0) return 0; /* empty range */ - luaL_checkstack(L, n, "table too big to unpack"); - for (; i<=e; i++) /* push arg[i...e] */ + if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */ + return luaL_error(L, "too many results to unpack"); + lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */ + while (i++ < e) /* push arg[i + 1...e] */ lua_rawgeti(L, 1, i); return n; } -- cgit v1.2.3-55-g6feb