[Bug 1362278] [NEW] Stack overflow in vararg functions with many fixed parameters called with few arguments
Jamie Strandboge
jamie at ubuntu.com
Wed Aug 27 17:50:44 UTC 2014
*** This bug is a security vulnerability ***
Public security bug reported:
See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
Stack overflow in vararg functions with many fixed parameters called with few arguments.
reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.
Example:
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end
f() -- crashes on some machines
Patch:
ldo.c:
@@ -324,7 +324,7 @@
case LUA_TLCL: { /* Lua function: prepare its call */
StkId base;
Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
n = cast_int(L->top - func) - 1; /* number of real arguments */
for (; n < p->numparams; n++)
** Affects: lua5.2 (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lua5.2 in Ubuntu.
https://bugs.launchpad.net/bugs/1362278
Title:
Stack overflow in vararg functions with many fixed parameters called
with few arguments
Status in “lua5.2” package in Ubuntu:
New
Bug description:
See http://www.lua.org/bugs.html section 5.2.2 for details. Essentially:
Stack overflow in vararg functions with many fixed parameters called with few arguments.
reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3.
Example:
function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end
f() -- crashes on some machines
Patch:
ldo.c:
@@ -324,7 +324,7 @@
case LUA_TLCL: { /* Lua function: prepare its call */
StkId base;
Proto *p = clLvalue(func)->p;
- luaD_checkstack(L, p->maxstacksize);
+ luaD_checkstack(L, p->maxstacksize + p->numparams);
func = restorestack(L, funcr);
n = cast_int(L->top - func) - 1; /* number of real arguments */
for (; n < p->numparams; n++)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lua5.2/+bug/1362278/+subscriptions
More information about the foundations-bugs
mailing list