nik/lush
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug: unpack with maximum indices may crash due to arithmetic overflow

Browse Source
This commit is contained in:
Roberto Ierusalimschy
2008-02-14 14:03:09 -02:00
parent 6d182faab6
commit 5ac3386888
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lbaselib.c
View File

@@ -1,5 +1,5 @@
/* /*
** $Id: lbaselib.c,v 1.202 2008/01/03 17:07:59 roberto Exp roberto $ ** $Id: lbaselib.c,v 1.203 2008/02/11 19:14:52 roberto Exp roberto $
** Basic library ** Basic library
** See Copyright Notice in lua.h ** See Copyright Notice in lua.h
*/ */
@@ -353,10 +353,12 @@ static int luaB_unpack (lua_State *L) {
luaL_checktype(L, 1, LUA_TTABLE); luaL_checktype(L, 1, LUA_TTABLE);
i = luaL_optint(L, 2, 1); i = luaL_optint(L, 2, 1);
e = luaL_opt(L, luaL_checkint, 3, (int)lua_objlen(L, 1)); e = luaL_opt(L, luaL_checkint, 3, (int)lua_objlen(L, 1));
if (i > e) return 0; /* empty range */
n = e - i + 1; /* number of elements */ n = e - i + 1; /* number of elements */
if (n <= 0) return 0; /* empty range */ if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
luaL_checkstack(L, n, "table too big to unpack"); return luaL_error(L, "too many results to unpack");
for (; i<=e; i++) /* push arg[i...e] */ lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */
while (i++ < e) /* push arg[i + 1...e] */
lua_rawgeti(L, 1, i); lua_rawgeti(L, 1, i);
return n; return n;
} }