Re: Specially crafted binary chunks can cause Lua to crash

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Specially crafted binary chunks can cause Lua to crash
From: Roberto Ierusalimschy <roberto@...>
Date: 2008年3月26日 17:04:17 -0300

> On another note, the following exploits a bug in ldebug.c's precheck function:
> 
> loadstring(string.dump(function(a,b,c)end):gsub("%z3円%z3円","0円255円1円3円",1))()
> 
> The line in question is:
> 
> lua_assert(pt->numparams+(pt->is_vararg & VARARG_HASARG) <= pt->maxstacksize);
> 
> If numparams is 255, and is_vararg has the HARARG flag set, then the
> addition will overflow, and the function can have alot more parameters
> than stack slots, leading to a segfault when the function is called.
Why would 255+1 overflow? What seems odd is the 'lua_assert' there. If
it is checking the code, it should use 'check'...
-- Roberto

Follow-Ups:
- Re: Specially crafted binary chunks can cause Lua to crash, Peter Cawley

References:
- Specially crafted binary chunks can cause Lua to crash, Peter Cawley
- Re: Specially crafted binary chunks can cause Lua to crash, Daniel Stephens
- Re: Specially crafted binary chunks can cause Lua to crash, Peter Cawley
- Re: Specially crafted binary chunks can cause Lua to crash, Daniel Stephens
- Re: Specially crafted binary chunks can cause Lua to crash, Peter Cawley
- Re: Specially crafted binary chunks can cause Lua to crash, Luiz Henrique de Figueiredo
- Re: Specially crafted binary chunks can cause Lua to crash, Peter Cawley
- Re: Specially crafted binary chunks can cause Lua to crash, Roberto Ierusalimschy
- Re: Specially crafted binary chunks can cause Lua to crash, Peter Cawley

Prev by Date: Re: lpack question
Next by Date: Re: Specially crafted binary chunks can cause Lua to crash
Previous by thread: Re: Specially crafted binary chunks can cause Lua to crash
Next by thread: Re: Specially crafted binary chunks can cause Lua to crash
Index(es):
- Date
- Thread