From 58c57c57354fce407b11c0d63f8926edf5f469c0 Mon Sep 17 00:00:00 2001
From: Benoit Giannangeli <giann008@gmail.com>
Date: Fri, 24 Mar 2017 11:30:51 +0100
Subject: Missing overflow check in string.rep

---
 src/lstrlib.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lstrlib.js b/src/lstrlib.js
index 3a2ea39..77b0815 100644
--- a/src/lstrlib.js
+++ b/src/lstrlib.js
@@ -21,7 +21,7 @@ const L_ESC   = sL_ESC.charCodeAt(0);
 const LUA_MAXCAPTURES = 32;
 
 // (sizeof(size_t) < sizeof(int) ? MAX_SIZET : (size_t)(INT_MAX))
-const MAXSIZE = Number.MAX_SAFE_INTEGER;
+const MAXSIZE = 2147483647;
 
 
 /* translate a relative string position: negative means back from end */
@@ -668,6 +668,9 @@ const str_rep = function(L) {
     let n = lauxlib.luaL_checkinteger(L, 2);
     let sep = lauxlib.luaL_optstring(L, 3, "");
 
+    if (s.length + sep.length < s.length || s.length + sep.length > MAXSIZE / n)  /* may overflow? */
+        return lauxlib.luaL_error(L, "resulting string too large");
+
     lapi.lua_pushstring(L, n > 0 ? (s + sep).repeat(n - 1) + s : "");
     return 1;
 };
-- 
cgit v1.2.3-54-g00ecf