51 lines
1.8 KiB
Diff
51 lines
1.8 KiB
Diff
From ef764dde1cca2f25d00686673d1bc89448819571 Mon Sep 17 00:00:00 2001
|
|
From: Seunghoon Woo <toad58@nate.com>
|
|
Date: Mon, 10 Feb 2020 16:32:46 +0900
|
|
Subject: [PATCH] [FIX] revisit CVE-2015-8080 vulnerability
|
|
|
|
---
|
|
deps/lua/src/lua_struct.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c
|
|
index 4d5f027b85c..c58c8e72b08 100644
|
|
--- a/deps/lua/src/lua_struct.c
|
|
+++ b/deps/lua/src/lua_struct.c
|
|
@@ -89,12 +89,14 @@ typedef struct Header {
|
|
} Header;
|
|
|
|
|
|
-static int getnum (const char **fmt, int df) {
|
|
+static int getnum (lua_State *L, const char **fmt, int df) {
|
|
if (!isdigit(**fmt)) /* no number? */
|
|
return df; /* return default value */
|
|
else {
|
|
int a = 0;
|
|
do {
|
|
+ if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
|
|
+ luaL_error(L, "integral size overflow");
|
|
a = a*10 + *((*fmt)++) - '0';
|
|
} while (isdigit(**fmt));
|
|
return a;
|
|
@@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) {
|
|
case 'f': return sizeof(float);
|
|
case 'd': return sizeof(double);
|
|
case 'x': return 1;
|
|
- case 'c': return getnum(fmt, 1);
|
|
+ case 'c': return getnum(L, fmt, 1);
|
|
case 'i': case 'I': {
|
|
- int sz = getnum(fmt, sizeof(int));
|
|
+ int sz = getnum(L, fmt, sizeof(int));
|
|
if (sz > MAXINTSIZE)
|
|
luaL_error(L, "integral size %d is larger than limit of %d",
|
|
sz, MAXINTSIZE);
|
|
@@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt,
|
|
case '>': h->endian = BIG; return;
|
|
case '<': h->endian = LITTLE; return;
|
|
case '!': {
|
|
- int a = getnum(fmt, MAXALIGN);
|
|
+ int a = getnum(L, fmt, MAXALIGN);
|
|
if (!isp2(a))
|
|
luaL_error(L, "alignment %d is not a power of 2", a);
|
|
h->align = a;
|