From 58c57c57354fce407b11c0d63f8926edf5f469c0 Mon Sep 17 00:00:00 2001 From: Benoit Giannangeli Date: Fri, 24 Mar 2017 11:30:51 +0100 Subject: Missing overflow check in string.rep --- src/lstrlib.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lstrlib.js b/src/lstrlib.js index 3a2ea39..77b0815 100644 --- a/src/lstrlib.js +++ b/src/lstrlib.js @@ -21,7 +21,7 @@ const L_ESC = sL_ESC.charCodeAt(0); const LUA_MAXCAPTURES = 32; // (sizeof(size_t) < sizeof(int) ? MAX_SIZET : (size_t)(INT_MAX)) -const MAXSIZE = Number.MAX_SAFE_INTEGER; +const MAXSIZE = 2147483647; /* translate a relative string position: negative means back from end */ @@ -668,6 +668,9 @@ const str_rep = function(L) { let n = lauxlib.luaL_checkinteger(L, 2); let sep = lauxlib.luaL_optstring(L, 3, ""); + if (s.length + sep.length < s.length || s.length + sep.length > MAXSIZE / n) /* may overflow? */ + return lauxlib.luaL_error(L, "resulting string too large"); + lapi.lua_pushstring(L, n > 0 ? (s + sep).repeat(n - 1) + s : ""); return 1; }; -- cgit v1.2.3-70-g09d2