Re: heap-buffer-overflow in luaY_parser

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow in luaY_parser
From: Philipp Janda <siffiejoe@...>
Date: 2015年7月17日 22:09:28 +0200

Am 17.07.2015 um 19:57 schröbte Karl Skomski:

I played around with lua + libfuzzer and can't continue because it always
stops because of the sheer numbers of luaL_loadbuffer calls results into a
heap-buffer-overflow.
#include <stdlib.h>
#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"
unsigned long long persist_cnt;
int main(int argc, char** argv) {
 lua_State* L = luaL_newstate();
 unsigned long long persist_max = getenv("PERSIST_MAX") ?
 strtoull(getenv("PERSIST_MAX"), 0, 0) : 1010000;
try_again:
 luaL_loadbuffer(L, 0, 0, "stdin");

You should add a `printf("stack top: %d\n", lua_gettop(L));` here, andcheck the manual section[1] on stack size afterwards.

 if (persist_cnt++ < persist_max) {
 goto try_again;
 }
 lua_close(L);
 return 0;
}
Kind regards,
Karl Skomski

Philipp
 [1]: http://www.lua.org/manual/5.3/manual.html#4.2

Follow-Ups:
- Re: heap-buffer-overflow in luaY_parser, Karl Skomski

References:
- heap-buffer-overflow in luaY_parser, Karl Skomski

Prev by Date: Re: What's next for Ravi
Next by Date: Re: heap-buffer-overflow in luaY_parser
Previous by thread: heap-buffer-overflow in luaY_parser
Next by thread: Re: heap-buffer-overflow in luaY_parser
Index(es):
- Date
- Thread