From f87416f1a3e47aa69ed8d27e7406ec6b7848da9a Mon Sep 17 00:00:00 2001 From: Roberto I Date: Wed, 27 Aug 2025 10:30:54 -0300 Subject: Added limit to number of elements in a constructor The reasoning in commit 519c57d5 is wrong: A sequence of nils generates several fields with just one OP_LOADNIL. --- lparser.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) (limited to 'lparser.c') diff --git a/lparser.c b/lparser.c index 73dad6d7..5abcd407 100644 --- a/lparser.c +++ b/lparser.c @@ -905,6 +905,19 @@ typedef struct ConsControl { } ConsControl; +/* +** Maximum number of elements in a constructor, to control the following: +** * counter overflows; +** * overflows in 'extra' for OP_NEWTABLE and OP_SETLIST; +** * overflows when adding multiple returns in OP_SETLIST. +*/ +#define MAX_CNST (INT_MAX/2) +#if MAX_CNST/(MAXARG_vC + 1) > MAXARG_Ax +#undef MAX_CNST +#define MAX_CNST (MAXARG_Ax * (MAXARG_vC + 1)) +#endif + + static void recfield (LexState *ls, ConsControl *cc) { /* recfield -> (NAME | '['exp']') = exp */ FuncState *fs = ls->fs; @@ -925,7 +938,7 @@ static void recfield (LexState *ls, ConsControl *cc) { static void closelistfield (FuncState *fs, ConsControl *cc) { - if (cc->v.k == VVOID) return; /* there is no list item */ + lua_assert(cc->tostore > 0); luaK_exp2nextreg(fs, &cc->v); cc->v.k = VVOID; if (cc->tostore >= cc->maxtostore) { @@ -1013,10 +1026,12 @@ static void constructor (LexState *ls, expdesc *t) { checknext(ls, '{' /*}*/); cc.maxtostore = maxtostore(fs); do { - lua_assert(cc.v.k == VVOID || cc.tostore > 0); if (ls->t.token == /*{*/ '}') break; - closelistfield(fs, &cc); + if (cc.v.k != VVOID) /* is there a previous list item? */ + closelistfield(fs, &cc); /* close it */ field(ls, &cc); + luaY_checklimit(fs, cc.tostore + cc.na + cc.nh, MAX_CNST, + "items in a constructor"); } while (testnext(ls, ',') || testnext(ls, ';')); check_match(ls, /*{*/ '}', '{' /*}*/, line); lastlistfield(fs, &cc); -- cgit v1.2.3-55-g6feb