nik/lush
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better patch for buffer overflow error

Browse Source
This commit is contained in:
Roberto Ierusalimschy
2004-11-03 10:22:39 -02:00
parent 737ec947d3
commit cfd7bc478f
1 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
bugs
View File

@@ -658,14 +658,28 @@ rep129(longs)
patch = [[ patch = [[
* lvm.c: * lvm.c:
329c329,331 @@ -321,15 +321,15 @@
< tl += tsvalue(top-n-1)->tsv.len; luaG_concaterror(L, top-2, top-1);
--- } else if (tsvalue(top-1)->tsv.len > 0) { /* if len=0, do nothing */
> size_t l = tsvalue(top-n-1)->tsv.len; /* at least two string values; get as many as possible */
> if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow"); - lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
> tl += l; - cast(lu_mem, tsvalue(top-2)->tsv.len);
332d333 + size_t tl = tsvalue(top-1)->tsv.len;
< if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow"); char *buffer;
int i;
- while (n < total && tostring(L, top-n-1)) { /* collect total length */
- tl += tsvalue(top-n-1)->tsv.len;
- n++;
+ /* collect total length */
+ for (n = 1; n < total && tostring(L, top-n-1); n++) {
+ size_t l = tsvalue(top-n-1)->tsv.len;
+ if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
+ tl += l;
}
- if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
buffer = luaZ_openspace(L, &G(L)->buff, tl);
tl = 0;
for (i=n; i>0; i--) { /* concat all strings */
]] ]]
} }