From 58c57c57354fce407b11c0d63f8926edf5f469c0 Mon Sep 17 00:00:00 2001
From: Benoit Giannangeli <giann008@gmail.com>
Date: Fri, 24 Mar 2017 11:30:51 +0100
Subject: Missing overflow check in string.rep

---
 src/lstrlib.js   | 5 ++++-
 tests/single.lua | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/lstrlib.js b/src/lstrlib.js
index 3a2ea39..77b0815 100644
--- a/src/lstrlib.js
+++ b/src/lstrlib.js
@@ -21,7 +21,7 @@ const L_ESC   = sL_ESC.charCodeAt(0);
 const LUA_MAXCAPTURES = 32;
 
 // (sizeof(size_t) < sizeof(int) ? MAX_SIZET : (size_t)(INT_MAX))
-const MAXSIZE = Number.MAX_SAFE_INTEGER;
+const MAXSIZE = 2147483647;
 
 
 /* translate a relative string position: negative means back from end */
@@ -668,6 +668,9 @@ const str_rep = function(L) {
     let n = lauxlib.luaL_checkinteger(L, 2);
     let sep = lauxlib.luaL_optstring(L, 3, "");
 
+    if (s.length + sep.length < s.length || s.length + sep.length > MAXSIZE / n)  /* may overflow? */
+        return lauxlib.luaL_error(L, "resulting string too large");
+
     lapi.lua_pushstring(L, n > 0 ? (s + sep).repeat(n - 1) + s : "");
     return 1;
 };
diff --git a/tests/single.lua b/tests/single.lua
index 4bd159c..d9b6ce9 100644
--- a/tests/single.lua
+++ b/tests/single.lua
@@ -99,3 +99,9 @@ assert(string.lower("\0ABCc%$") == "\0abcc%$")
 assert(string.rep('teste', 0) == '')
 assert(string.rep('tés\00tê', 2) == 'tés\0têtés\000tê')
 assert(string.rep('', 10) == '')
+
+if string.packsize("i") == 4 then
+  -- result length would be 2^31 (int overflow)
+  checkerror("too large", string.rep, 'aa', (1 << 30))
+  checkerror("too large", string.rep, 'a', (1 << 30), ',')
+end
-- 
cgit v1.2.3-54-g00ecf