Disable loading bytecode with an extra header (BOM or #!).

2 files changed, 18 insertions, 1 deletions

diff --git a/src/lj_errmsg.h b/src/lj_errmsg.h
index 83c69ea8..d1db4386 100644
--- a/src/lj_errmsg.h
+++ b/src/lj_errmsg.h
@@ -139,6 +139,7 @@ ERRDEF(XFOR,	LUA_QL("=") " or " LUA_QL("in") " expected")
 /* Bytecode reader errors. */
 ERRDEF(BCFMT,   "cannot load incompatible bytecode")
 ERRDEF(BCBAD,   "cannot load malformed bytecode")
+ERRDEF(BCHEAD,  "attempt to load bytecode with extra header")
 
 #if LJ_HASFFI
 /* FFI errors. */
diff --git a/src/lj_lex.c b/src/lj_lex.c
index d87a49dc..669d2dfe 100644
--- a/src/lj_lex.c
+++ b/src/lj_lex.c
@@ -411,6 +411,7 @@ static int llex(LexState *ls, TValue *tv)
 /* Setup lexer state. */
 int lj_lex_setup(lua_State *L, LexState *ls)
 {
+  int header = 0;
   ls->L = L;
   ls->fs = NULL;
   ls->n = 0;
@@ -430,6 +431,7 @@ int lj_lex_setup(lua_State *L, LexState *ls)
     ls->n -= 2;
     ls->p += 2;
     next(ls);
+    header = 1;
   }
   if (ls->current == '#') {  /* Skip POSIX #! header line. */
     do {
@@ -437,8 +439,22 @@ int lj_lex_setup(lua_State *L, LexState *ls)
       if (ls->current == END_OF_STREAM) return 0;
     } while (!currIsNewline(ls));
     inclinenumber(ls);
+    header = 1;
   }
-  return (ls->current == LUA_SIGNATURE[0]);  /* Bytecode dump? */
+  if (ls->current == LUA_SIGNATURE[0]) {  /* Bytecode dump. */
+    if (header) {
+      /*
+      ** Loading bytecode with an extra header is disabled for security
+      ** reasons. This may circumvent the usual check for bytecode vs.
+      ** Lua code by looking at the first char. Since this is a potential
+      ** security violation no attempt is made to echo the chunkname either.
+      */
+      setstrV(L, L->top++, lj_err_str(L, LJ_ERR_BCHEAD));
+      lj_err_throw(L, LUA_ERRSYNTAX);
+    }
+    return 1;
+  }
+  return 0;
 }
 
 /* Cleanup lexer state. */