You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally reported via tarantool/tarantool#9339: cp->packstack is of size CPARSE_MAX_PACKSTACK (7). cp->curpack is checked to be less than CPARSE_MAX_PACKSTACK, but then cp->packstack is accessed at cp->curpack + 1, which is out of bounds, so cp->curpack value is overwritten.
The following trivial patch fixes the issue (since the previous value is taken):
diff --git a/src/lj_cparse.c b/src/lj_cparse.c
index 6c3bb2f9..7963590d 100644
--- a/src/lj_cparse.c+++ b/src/lj_cparse.c@@ -1766,7 +1766,7 @@ static void cp_pragma(CPState *cp, BCLine pragmaline)
cp_check(cp, '(');
if (cp->tok == CTOK_IDENT) {
if (cp_str_is(cp->str, "push")) {
- if (cp->curpack < CPARSE_MAX_PACKSTACK) {+ if (cp->curpack + 1 < CPARSE_MAX_PACKSTACK) {
cp->packstack[cp->curpack+1] = cp->packstack[cp->curpack];
cp->curpack++;
}
But maybe it's better to throw an error in the case of the curpack overflow (since the behaviour when we overwrite the top stack slot value isn't very obvious)?
The text was updated successfully, but these errors were encountered:
Originally reported via tarantool/tarantool#9339:
cp->packstack
is of sizeCPARSE_MAX_PACKSTACK
(7
).cp->curpack
is checked to be less thanCPARSE_MAX_PACKSTACK
, but thencp->packstack
is accessed atcp->curpack + 1
, which is out of bounds, socp->curpack
value is overwritten.The following example demonstrates the issue:
For the reference, the C example (named
/tmp/t.c
):yields as expected
16
:gcc -O0 -ggdb3 -g /tmp/t.c -o /tmp/t.exe && /tmp/t.exe 16
The following trivial patch fixes the issue (since the previous value is taken):
But maybe it's better to throw an error in the case of the
curpack
overflow (since the behaviour when we overwrite the top stack slot value isn't very obvious)?The text was updated successfully, but these errors were encountered: