From 5853c37a83ec66ccb45094f9aeac23dfdbcde671 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 21 Dec 2023 13:37:51 -0300
Subject: Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object
can overflow when we add the header.
---
 lstring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lstring.c')

diff --git a/lstring.c b/lstring.c
index e921dd0f..97757355 100644
--- a/lstring.c
+++ b/lstring.c
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
     return internshrstr(L, str, l);
   else {
     TString *ts;
-    if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))
+    if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
       luaM_toobig(L);
     ts = luaS_createlngstrobj(L, l);
     memcpy(getlngstr(ts), str, l * sizeof(char));
-- 
cgit v1.2.3-55-g6feb