bug: lua_getupvalue and setupvalue do not check for index too small.

2024-12-26 20:29:43 +03:00 · 2004-08-17 14:45:45 -03:00 · 2004-08-17 14:45:45 -03:00 · 271e05917f
commit 271e05917f
parent fe8c365281
2 changed files with 24 additions and 3 deletions
--- a/21
+++ b/21
@ -669,3 +669,24 @@ patch = [[
 ]]
 }

+
+Bug{
+what = [[lua_getupvalue and setupvalue do not check for index too small]],
+
+report = [[Mike Pall, ?/2004]],
+
+example = [[debug.getupvalue(function() end, 0)]],
+
+patch = [[
+* lapi.c
+941c941
+<     if (n > f->c.nupvalues) return NULL;
+---
+>     if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
+947c947
+<     if (n > p->sizeupvalues) return NULL;
+---
+>     if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
+]]
+}
+
--- a/lapi.c
+++ b/lapi.c
@ -1,5 +1,5 @@
 /*
-** $Id: lapi.c,v 2.15 2004/08/10 19:17:23 roberto Exp roberto $
+** $Id: lapi.c,v 2.16 2004/08/12 17:02:51 roberto Exp roberto $
 ** Lua API
 ** See Copyright Notice in lua.h
 */
@ -938,13 +938,13 @@ static const char *aux_upvalue (lua_State *L, StkId fi, int n, TValue **val) {
  if (!ttisfunction(fi)) return NULL;
  f = clvalue(fi);
  if (f->c.isC) {
-    if (n > f->c.nupvalues) return NULL;
+    if (!(1 <= n && n <= f->c.nupvalues)) return NULL;
    *val = &f->c.upvalue[n-1];
    return "";
  }
  else {
    Proto *p = f->l.p;
-    if (n > p->sizeupvalues) return NULL;
+    if (!(1 <= n && n <= p->sizeupvalues)) return NULL;
    *val = f->l.upvals[n-1]->v;
    return getstr(p->upvalues[n-1]);
  }