summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenoit Giannangeli <giann008@gmail.com>2017-03-24 11:30:51 +0100
committerBenoit Giannangeli <giann008@gmail.com>2017-03-24 11:30:51 +0100
commit58c57c57354fce407b11c0d63f8926edf5f469c0 (patch)
tree821ee53984033997a569ac001f3ee7cf2b85d34c
parent00340610e70f3651d267a210e2c2914f1102d086 (diff)
downloadfengari-58c57c57354fce407b11c0d63f8926edf5f469c0.tar.gz
fengari-58c57c57354fce407b11c0d63f8926edf5f469c0.tar.bz2
fengari-58c57c57354fce407b11c0d63f8926edf5f469c0.zip
Missing overflow check in string.rep
-rw-r--r--src/lstrlib.js5
-rw-r--r--tests/single.lua6
2 files changed, 10 insertions, 1 deletions
diff --git a/src/lstrlib.js b/src/lstrlib.js
index 3a2ea39..77b0815 100644
--- a/src/lstrlib.js
+++ b/src/lstrlib.js
@@ -21,7 +21,7 @@ const L_ESC = sL_ESC.charCodeAt(0);
const LUA_MAXCAPTURES = 32;
// (sizeof(size_t) < sizeof(int) ? MAX_SIZET : (size_t)(INT_MAX))
-const MAXSIZE = Number.MAX_SAFE_INTEGER;
+const MAXSIZE = 2147483647;
/* translate a relative string position: negative means back from end */
@@ -668,6 +668,9 @@ const str_rep = function(L) {
let n = lauxlib.luaL_checkinteger(L, 2);
let sep = lauxlib.luaL_optstring(L, 3, "");
+ if (s.length + sep.length < s.length || s.length + sep.length > MAXSIZE / n) /* may overflow? */
+ return lauxlib.luaL_error(L, "resulting string too large");
+
lapi.lua_pushstring(L, n > 0 ? (s + sep).repeat(n - 1) + s : "");
return 1;
};
diff --git a/tests/single.lua b/tests/single.lua
index 4bd159c..d9b6ce9 100644
--- a/tests/single.lua
+++ b/tests/single.lua
@@ -99,3 +99,9 @@ assert(string.lower("\0ABCc%$") == "\0abcc%$")
assert(string.rep('teste', 0) == '')
assert(string.rep('tés\00tê', 2) == 'tés\0têtés\000tê')
assert(string.rep('', 10) == '')
+
+if string.packsize("i") == 4 then
+ -- result length would be 2^31 (int overflow)
+ checkerror("too large", string.rep, 'aa', (1 << 30))
+ checkerror("too large", string.rep, 'a', (1 << 30), ',')
+end