Bug: Buffer overflow in string concatenation

Even if the string fits in size_t, the whole size of the TString object can overflow when we add the header.
2024-11-22 04:41:23 +03:00 · 2023-12-21 13:37:51 -03:00 · 2023-12-21 13:37:51 -03:00 · 5853c37a83
commit 5853c37a83
parent 842a83f09c
2 changed files with 2 additions and 2 deletions
--- a/lstring.c
+++ b/lstring.c
@ -224,7 +224,7 @@ TString *luaS_newlstr (lua_State *L, const char *str, size_t l) {
    return internshrstr(L, str, l);
  else {
    TString *ts;
-    if (l_unlikely(l >= (MAX_SIZE - sizeof(TString))/sizeof(char)))
+    if (l_unlikely(l * sizeof(char) >= (MAX_SIZE - sizeof(TString))))
      luaM_toobig(L);
    ts = luaS_createlngstrobj(L, l);
    memcpy(getlngstr(ts), str, l * sizeof(char));
--- a/lvm.c
+++ b/lvm.c
@ -661,7 +661,7 @@ void luaV_concat (lua_State *L, int total) {
      /* collect total length and number of strings */
      for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) {
        size_t l = tsslen(tsvalue(s2v(top - n - 1)));
-        if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) {
+        if (l_unlikely(l >= MAX_SIZE - sizeof(TString) - tl)) {
          L->top.p = top - total;  /* pop strings to avoid wasting stack */
          luaG_runerror(L, "string length overflow");
        }