1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 8bb9cb38befd8c1131576b9fdbea605a7a094245 Mon Sep 17 00:00:00 2001
From: Sun He <sunheehnus@gmail.com>
Date: Sun, 13 Dec 2015 13:47:22 +0800
Subject: [PATCH] lua_struct.c/getnum: throw error if overflow happen
Fix issue #2855
---
deps/lua/src/lua_struct.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c
index ec78bcb..a602bb4 100644
--- a/deps/lua/src/lua_struct.c
+++ b/deps/lua/src/lua_struct.c
@@ -89,12 +89,14 @@ typedef struct Header {
} Header;
-static int getnum (const char **fmt, int df) {
+static int getnum (lua_State *L, const char **fmt, int df) {
if (!isdigit(**fmt)) /* no number? */
return df; /* return default value */
else {
int a = 0;
do {
+ if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
+ luaL_error(L, "integral size overflow");
a = a*10 + *((*fmt)++) - '0';
} while (isdigit(**fmt));
return a;
@@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) {
case 'f': return sizeof(float);
case 'd': return sizeof(double);
case 'x': return 1;
- case 'c': return getnum(fmt, 1);
+ case 'c': return getnum(L, fmt, 1);
case 'i': case 'I': {
- int sz = getnum(fmt, sizeof(int));
+ int sz = getnum(L, fmt, sizeof(int));
if (sz > MAXINTSIZE)
luaL_error(L, "integral size %d is larger than limit of %d",
sz, MAXINTSIZE);
@@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt,
case '>': h->endian = BIG; return;
case '<': h->endian = LITTLE; return;
case '!': {
- int a = getnum(fmt, MAXALIGN);
+ int a = getnum(L, fmt, MAXALIGN);
if (!isp2(a))
luaL_error(L, "alignment %d is not a power of 2", a);
h->align = a;
|
