From cfd7bc478f21494c254a8ed514271dbe655721b0 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Wed, 3 Nov 2004 10:22:39 -0200
Subject: [PATCH] better patch for buffer overflow error

---
 bugs | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/bugs b/bugs
index 2efc9aba..d4cae38d 100644
--- a/bugs
+++ b/bugs
@@ -658,14 +658,28 @@ rep129(longs)
 
 patch = [[
 * lvm.c:
-329c329,331
-<         tl += tsvalue(top-n-1)->tsv.len;
----
->         size_t l = tsvalue(top-n-1)->tsv.len;
->         if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
->         tl += l;
-332d333
-<       if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+@@ -321,15 +321,15 @@
+         luaG_concaterror(L, top-2, top-1);
+     } else if (tsvalue(top-1)->tsv.len > 0) {  /* if len=0, do nothing */
+       /* at least two string values; get as many as possible */
+-      lu_mem tl = cast(lu_mem, tsvalue(top-1)->tsv.len) +
+-                  cast(lu_mem, tsvalue(top-2)->tsv.len);
++      size_t tl = tsvalue(top-1)->tsv.len;
+       char *buffer;
+       int i;
+-      while (n < total && tostring(L, top-n-1)) {  /* collect total length */
+-        tl += tsvalue(top-n-1)->tsv.len;
+-        n++;
++      /* collect total length */
++      for (n = 1; n < total && tostring(L, top-n-1); n++) {
++        size_t l = tsvalue(top-n-1)->tsv.len;
++        if (l >= MAX_SIZET - tl) luaG_runerror(L, "string length overflow");
++        tl += l;
+       }
+-      if (tl > MAX_SIZET) luaG_runerror(L, "string size overflow");
+       buffer = luaZ_openspace(L, &G(L)->buff, tl);
+       tl = 0;
+       for (i=n; i>0; i--) {  /* concat all strings */
 ]]
 }