From 5853c37a83ec66ccb45094f9aeac23dfdbcde671 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 21 Dec 2023 13:37:51 -0300
Subject: Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object
can overflow when we add the header.
---
 lvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lvm.c')

diff --git a/lvm.c b/lvm.c
index 4d71cfff..918ae64c 100644
--- a/lvm.c
+++ b/lvm.c
@@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
       /* collect total length and number of strings */
       for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
         size_t l = tsslen(tsvalue(s2v(top - n - 1)));
-        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+        if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
           L->top.p = top - total;  /* pop strings to avoid wasting stack */
           luaG_runerror(L, "string length overflow");
         }
-- 
cgit v1.2.3-55-g6feb