Home Explore Help
Sign In
c
/
lua.lua
mirror of https://github.com/lua/lua.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

bug: IBM AS400 (OS400) has sizeof(void *)==16, and a `%p' may generate
up to 60 characters in a `printf'. That causes a buffer overflow in
`tostring'..

Roberto Ierusalimschy 22 years ago
parent
97af24ea32
commit
64066359dd
2 changed files with 19 additions and 12 deletions
Unified View Show Diff Stats
  1. 17 10
      lbaselib.c
  2. 2 2
      liolib.c

+ 17 - 10
lbaselib.c
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
-** $Id: lbaselib.c,v 1.130 2003/04/03 13:35:34 roberto Exp roberto $
 
+** $Id: lbaselib.c,v 1.131 2003/05/16 18:59:08 roberto Exp roberto $
 
 ** Basic library
 
 ** Basic library
 
 ** See Copyright Notice in lua.h
 
 ** See Copyright Notice in lua.h
 
 */
 
 */
 
@@ -324,7 +324,9 @@ static int luaB_xpcall (lua_State *L) {
 
 
 
 
 
 static int luaB_tostring (lua_State *L) {
 
 static int luaB_tostring (lua_State *L) {
 
-  char buff[64];
 
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
 
+  const char *tn = "";
 
+  const void *p = NULL;
 
   luaL_checkany(L, 1);
 
   luaL_checkany(L, 1);
 
   if (luaL_callmeta(L, 1, "__tostring"))  /* is there a metafield? */
 
   if (luaL_callmeta(L, 1, "__tostring"))  /* is there a metafield? */
 
     return 1;  /* use its value */
 
     return 1;  /* use its value */
 
@@ -338,24 +340,29 @@ static int luaB_tostring (lua_State *L) {
 
     case LUA_TBOOLEAN:
 
     case LUA_TBOOLEAN:
 
       lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
 
       lua_pushstring(L, (lua_toboolean(L, 1) ? "true" : "false"));
 
       return 1;
 
       return 1;
 
+    case LUA_TNIL:
 
+      lua_pushliteral(L, "nil");
 
+      return 1;
 
     case LUA_TTABLE:
 
     case LUA_TTABLE:
 
-      sprintf(buff, "table: %p", lua_topointer(L, 1));
 
+      p = lua_topointer(L, 1);
 
+      tn = "table";
 
       break;
 
       break;
 
     case LUA_TFUNCTION:
 
     case LUA_TFUNCTION:
 
-      sprintf(buff, "function: %p", lua_topointer(L, 1));
 
+      p = lua_topointer(L, 1);
 
+      tn = "function";
 
       break;
 
       break;
 
     case LUA_TUSERDATA:
 
     case LUA_TUSERDATA:
 
     case LUA_TLIGHTUSERDATA:
 
     case LUA_TLIGHTUSERDATA:
 
-      sprintf(buff, "userdata: %p", lua_touserdata(L, 1));
 
+      p = lua_touserdata(L, 1);
 
+      tn = "userdata";
 
       break;
 
       break;
 
     case LUA_TTHREAD:
 
     case LUA_TTHREAD:
 
-      sprintf(buff, "thread: %p", (void *)lua_tothread(L, 1));
 
+      p = lua_tothread(L, 1);
 
+      tn = "thread";
 
       break;
 
       break;
 
-    case LUA_TNIL:
 
-      lua_pushliteral(L, "nil");
 
-      return 1;
 
   }
 
   }
 
-  lua_pushstring(L, buff);
 
+  sprintf(buff, "%p", p);
 
+  lua_pushfstring(L, "%s: %s", tn, buff);
 
   return 1;
 
   return 1;
 
 }
 
 }

+ 2 - 2
liolib.c
View File 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
-** $Id: liolib.c,v 2.44 2003/07/07 13:32:52 roberto Exp roberto $
 
+** $Id: liolib.c,v 2.45 2003/07/09 12:08:43 roberto Exp roberto $
 
 ** Standard I/O (and system) library
 
 ** Standard I/O (and system) library
 
 ** See Copyright Notice in lua.h
 
 ** See Copyright Notice in lua.h
 
 */
 
 */
 
@@ -152,7 +152,7 @@ static int io_gc (lua_State *L) {
 
 
 
 
 
 static int io_tostring (lua_State *L) {
 
 static int io_tostring (lua_State *L) {
 
-  char buff[32];
 
+  char buff[4*sizeof(void *) + 2];  /* enough space for a `%p' */
 
   FILE **f = topfile(L, 1);
 
   FILE **f = topfile(L, 1);
 
   if (*f == NULL)
 
   if (*f == NULL)
 
     strcpy(buff, "closed");
 
     strcpy(buff, "closed");