From 303f4155593721dfd57dadc6e56122e465ce9efb Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Fri, 18 Jul 2025 16:18:30 -0300
Subject: Randomness added to table length computation

A bad actor could fill only a few entries in a table (power of twos in
decreasing order, see tests) and produce a small table with a huge
length. If your program builds a table with external data and iterates
over its length, this behavior could be an issue.
---
 testes/nextvar.lua | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'testes')

diff --git a/testes/nextvar.lua b/testes/nextvar.lua
index 03810a8e..7e5bed56 100644
--- a/testes/nextvar.lua
+++ b/testes/nextvar.lua
@@ -345,6 +345,18 @@ do
   end
 end
 
+
+do  print("testing attack on table length")
+  local t = {}
+  local lim = math.floor(math.log(math.maxinteger, 2)) - 1
+  for i = lim, 0, -1 do
+    t[2^i] = true
+  end
+  assert(t[1 << lim])
+  -- next loop should not take forever
+  for i = 1, #t do end
+end
+
 local nofind = {}
 
 
-- 
cgit v1.2.3-55-g6feb