Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
2023-12-21 13:37:51 -03:00
parent 842a83f09c
commit 5853c37a83
2 changed files with 2 additions and 2 deletions
--- a/lstring.c
+++ b/lstring.c
@@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
    return internshrstr(L, str, l);
  else {
    TString *ts;
-    if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))
+    if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
      luaM_toobig(L);
    ts = luaS_createlngstrobj(L, l);
    memcpy(getlngstr(ts), str, l * sizeof(char));