Skip to content

Commit

Permalink
Fix tpt.parts being unsafe
Browse files Browse the repository at this point in the history 
`tpt.parts` does check whether the particle ID it gets is valid, but it doesn't check whether that particle ID is used. One could potentially modify the life property of dead particles to break the linked list of free particle IDs, thus potentially gaining the ability to read from or write to arbitrary addresses in memory.
  • Loading branch information
@LBPHacker @jacob1
LBPHacker authored and jacob1 committed Jul 14, 2017
1 parent 8e5b0c7 commit 7dd538b
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions src/lua/LegacyLuaAPI.cpp
View file
Expand Up @@ -32,6 +32,8 @@ int luacon_partread(lua_State* l)

if (i < 0 || i >= NPART)
return luaL_error(l, "Out of range");
if (!luacon_sim->parts[i].type)
return luaL_error(l, "dead particle");
if (offset == -1)
{
if (!key.compare("id"))
Expand Down Expand Up @@ -68,6 +70,8 @@ int luacon_partwrite(lua_State* l)

if (i < 0 || i >= NPART)
return luaL_error(l, "Out of range");
if (!luacon_sim->parts[i].type)
return luaL_error(l, "dead particle");
if (offset == -1)
return luaL_error(l, "Invalid property");

Expand Down Expand Up @@ -95,6 +99,11 @@ int luacon_partsread(lua_State* l)
{
return luaL_error(l, "array index out of bounds");
}

if (!luacon_sim->parts[i].type)
{
return luaL_error(l, "dead particle");
}

lua_rawgeti(l, LUA_REGISTRYINDEX, tptPart);
cIndex = i;
Expand Down

0 comments on commit 7dd538b

Please sign in to comment.