nik/lush
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check string indices when loading binary chunk

Browse Source 
Lua is not religious about that, but it tries to avoid crashes when
loading binary chunks.
This commit is contained in:
Roberto Ierusalimschy
2025-06-17 11:40:49 -03:00
parent 9386e49a31
commit f711567448
2 changed files with 11 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lundump.c
View File

@@ -154,8 +154,9 @@ static void loadString (LoadState *S, Proto *p, TString **sl) {
else if (size == 1) { /* previously saved string? */ else if (size == 1) { /* previously saved string? */
lua_Unsigned idx = loadVarint(S, LUA_MAXUNSIGNED); /* get its index */ lua_Unsigned idx = loadVarint(S, LUA_MAXUNSIGNED); /* get its index */
TValue stv; TValue stv;
luaH_getint(S->h, l_castU2S(idx), &stv); /* get its value */ if (novariant(luaH_getint(S->h, l_castU2S(idx), &stv)) != LUA_TSTRING)
*sl = ts = tsvalue(&stv); error(S, "invalid string index");
*sl = ts = tsvalue(&stv); /* get its value */
luaC_objbarrier(L, p, ts); luaC_objbarrier(L, p, ts);
return; /* do not save it again */ return; /* do not save it again */
} }
@@ -394,11 +395,10 @@ LClosure *luaU_undump (lua_State *L, ZIO *Z, const char *name, int fixed) {
LoadState S; LoadState S;
LClosure *cl; LClosure *cl;
if (*name == '@' || *name == '=') if (*name == '@' || *name == '=')
S.name = name + 1; name = name + 1;
else if (*name == LUA_SIGNATURE[0]) else if (*name == LUA_SIGNATURE[0])
S.name = "binary string"; name = "binary string";
else S.name = name;
S.name = name;
S.L = L; S.L = L;
S.Z = Z; S.Z = Z;
S.fixed = cast_byte(fixed); S.fixed = cast_byte(fixed);

12
manual/manual.of
View File

@@ -1403,8 +1403,7 @@ see the program @idx{luac} and the function @Lid{string.dump} for details.
Programs in source and compiled forms are interchangeable; Programs in source and compiled forms are interchangeable;
Lua automatically detects the file type and acts accordingly @seeF{load}. Lua automatically detects the file type and acts accordingly @seeF{load}.
Be aware that, unlike source code, Be aware that, unlike source code,
the execution of maliciously crafted maliciously crafted binary chunks can crash the interpreter.
bytecode can crash the interpreter.
} }
@@ -6694,11 +6693,10 @@ It may be the string @St{b} (only @x{binary chunk}s),
or @St{bt} (both binary and text). or @St{bt} (both binary and text).
The default is @St{bt}. The default is @St{bt}.
It is safe to load malformed binary chunks; Lua does not check the consistency of binary chunks.
@id{load} signals an appropriate error. Maliciously crafted binary chunks can crash
However, the interpreter.
Lua does not check the consistency of the code inside binary chunks; You can use the @id{mode} parameter to prevent loading binary chunks.
running maliciously crafted bytecode can crash the interpreter.
} }