diff options
| author | Mike Pall <mike> | 2020-04-28 17:52:28 +0200 |
|---|---|---|
| committer | Mike Pall <mike> | 2020-04-28 17:52:28 +0200 |
| commit | 179cf2eb84fef2b9a524469c3c8cc49363b8fb10 (patch) | |
| tree | 1611274769c6c167af6a43ad92fa4aa3decf3c49 | |
| parent | db0b7ec194f9535c292a6084bd4bf57e9baf8b7e (diff) | |
| download | luajit-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.tar.gz luajit-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.tar.bz2 luajit-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.zip | |
Fix overflow check in unpack().
Thanks to HybridDog.
| -rw-r--r-- | src/lib_base.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib_base.c b/src/lib_base.c index dae61fe1..99f7b44a 100644 --- a/src/lib_base.c +++ b/src/lib_base.c | |||
| @@ -219,9 +219,11 @@ LJLIB_CF(unpack) | |||
| 219 | int32_t n, i = lj_lib_optint(L, 2, 1); | 219 | int32_t n, i = lj_lib_optint(L, 2, 1); |
| 220 | int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ? | 220 | int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ? |
| 221 | lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t); | 221 | lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t); |
| 222 | uint32_t nu; | ||
| 222 | if (i > e) return 0; | 223 | if (i > e) return 0; |
| 223 | n = e - i + 1; | 224 | nu = (uint32_t)e - (uint32_t)i; |
| 224 | if (n <= 0 || !lua_checkstack(L, n)) | 225 | n = (int32_t)(nu+1); |
| 226 | if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n)) | ||
| 225 | lj_err_caller(L, LJ_ERR_UNPACK); | 227 | lj_err_caller(L, LJ_ERR_UNPACK); |
| 226 | do { | 228 | do { |
| 227 | cTValue *tv = lj_tab_getint(t, i); | 229 | cTValue *tv = lj_tab_getint(t, i); |