Bug: Long brackets with a huge number of '=' causes overflow
A long bracket with too many equal signs can overflow the 'int' used for the counting and some arithmetic done on the value. Changing the counter to 'size_t' avoids that. (Because what is counted goes to a buffer, an overflow in the counter will first raise a buffer-overflow error.)
This commit is contained in:
Roberto Ierusalimschy
19
bugs
19
bugs
@@ -4017,6 +4017,25 @@ patch = [[
|
||||
|
||||
|
||||
|
||||
--[=[
|
||||
Bug{
|
||||
what = [[Long brackets with a huge number of '=' overflow some
|
||||
internal buffer arithmetic]],
|
||||
report = [[Marco, 2018/12/12]],
|
||||
since = [[5.1]],
|
||||
fix = nil,
|
||||
example = [[
|
||||
local eqs = string.rep("=", 0x3ffffffe)
|
||||
local code = "return [" .. eqs .. "[a]" .. eqs .. "]"
|
||||
print(#assert(load(code))())
|
||||
]],
|
||||
patch = [[
|
||||
]]
|
||||
}
|
||||
]=]
|
||||
|
||||
|
||||
|
||||
|
||||
--[=[
|
||||
Bug{
|
||||
|
||||
Reference in New Issue
Block a user