Module Name: src Committed By: nikita Date: Mon Apr 17 19:35:36 UTC 2023
Modified Files: src/external/mit/lua/dist/src: ldebug.c lvm.c Log Message: lua: apply upstream bugfix for "Lua-stack overflow when C stack overflows while handling an error." (CVE-2022-33099) Save stack space while handling errors Because error handling (luaG_errormsg) uses slots from EXTRA_STACK, and some errors can recur (e.g., string overflow while creating an error message in 'luaG_runerror', or a C-stack overflow before calling the message handler), the code should use stack slots with parsimony. This commit fixes the bug "Lua-stack overflow when C stack overflows while handling an error". To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/external/mit/lua/dist/src/ldebug.c cvs rdiff -u -r1.15 -r1.16 src/external/mit/lua/dist/src/lvm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/mit/lua/dist/src/ldebug.c diff -u src/external/mit/lua/dist/src/ldebug.c:1.12 src/external/mit/lua/dist/src/ldebug.c:1.13 --- src/external/mit/lua/dist/src/ldebug.c:1.12 Sun Apr 16 20:46:17 2023 +++ src/external/mit/lua/dist/src/ldebug.c Mon Apr 17 19:35:36 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ldebug.c,v 1.12 2023/04/16 20:46:17 nikita Exp $ */ +/* $NetBSD: ldebug.c,v 1.13 2023/04/17 19:35:36 nikita Exp $ */ /* ** Id: ldebug.c @@ -828,8 +828,11 @@ l_noret luaG_runerror (lua_State *L, con va_start(argp, fmt); msg = luaO_pushvfstring(L, fmt, argp); /* format message */ va_end(argp); - if (isLua(ci)) /* if Lua function, add source:line information */ + if (isLua(ci)) { /* if Lua function, add source:line information */ luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); + setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ + L->top--; + } luaG_errormsg(L); } Index: src/external/mit/lua/dist/src/lvm.c diff -u src/external/mit/lua/dist/src/lvm.c:1.15 src/external/mit/lua/dist/src/lvm.c:1.16 --- src/external/mit/lua/dist/src/lvm.c:1.15 Sun Apr 16 20:46:17 2023 +++ src/external/mit/lua/dist/src/lvm.c Mon Apr 17 19:35:36 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: lvm.c,v 1.15 2023/04/16 20:46:17 nikita Exp $ */ +/* $NetBSD: lvm.c,v 1.16 2023/04/17 19:35:36 nikita Exp $ */ /* ** Id: lvm.c @@ -698,8 +698,10 @@ void luaV_concat (lua_State *L, int tota /* collect total length and number of strings */ for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { size_t l = vslen(s2v(top - n - 1)); - if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) + if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { + L->top = top - total; /* pop strings to avoid wasting stack */ luaG_runerror(L, "string length overflow"); + } tl += l; } if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ @@ -714,7 +716,7 @@ void luaV_concat (lua_State *L, int tota setsvalue2s(L, top - n, ts); /* create result */ } total -= n-1; /* got 'n' strings to create 1 new */ - L->top -= n-1; /* popped 'n' strings and pushed one */ + L->top = top - (n - 1); /* popped 'n' strings and pushed one */ } while (total > 1); /* repeat until only 1 result left */ }