aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pall <mike>2024-05-25 16:22:39 +0200
committerMike Pall <mike>2024-05-25 16:22:39 +0200
commit4fc48c50fe3f3f5a9680bada5c0c0d0d7eb345a3 (patch)
treedc920b08becc8eaddfdb9cf9d0baa30d3100acd4
parenta6386bdabed83d87e5d1746666652108b6b2682d (diff)
downloadluajit-4fc48c50fe3f3f5a9680bada5c0c0d0d7eb345a3.tar.gz
luajit-4fc48c50fe3f3f5a9680bada5c0c0d0d7eb345a3.tar.bz2
luajit-4fc48c50fe3f3f5a9680bada5c0c0d0d7eb345a3.zip
Limit number of string format elements to compile.
Reported by pwnhacker0x18. #1203
Diffstat
-rw-r--r--src/lj_ffrecord.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/lj_ffrecord.c b/src/lj_ffrecord.c
index 923824d9..b298d3f7 100644
--- a/src/lj_ffrecord.c
+++ b/src/lj_ffrecord.c
@@ -1005,6 +1005,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
1005 GCstr *fmt = argv2str(J, &rd->argv[arg]); 1005 GCstr *fmt = argv2str(J, &rd->argv[arg]);
1006 FormatState fs; 1006 FormatState fs;
1007 SFormat sf; 1007 SFormat sf;
1008 int nfmt = 0;
1008 /* Specialize to the format string. */ 1009 /* Specialize to the format string. */
1009 emitir(IRTG(IR_EQ, IRT_STR), trfmt, lj_ir_kstr(J, fmt)); 1010 emitir(IRTG(IR_EQ, IRT_STR), trfmt, lj_ir_kstr(J, fmt));
1010 lj_strfmt_init(&fs, strdata(fmt), fmt->len); 1011 lj_strfmt_init(&fs, strdata(fmt), fmt->len);
@@ -1082,6 +1083,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
1082 recff_nyiu(J, rd); 1083 recff_nyiu(J, rd);
1083 return; 1084 return;
1084 } 1085 }
1086 if (++nfmt > 100) lj_trace_err(J, LJ_TRERR_TRACEOV);
1085 } 1087 }
1086 if (sbufx) { 1088 if (sbufx) {
1087 emitir(IRT(IR_USE, IRT_NIL), tr, 0); 1089 emitir(IRT(IR_USE, IRT_NIL), tr, 0);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-12 16:23:27 +0000