cp->packstack buffer overflow in cp_pragma()

[Buristan]

Originally reported via tarantool/tarantool#9339:
cp->packstack is of size CPARSE_MAX_PACKSTACK (7).
cp->curpack is checked to be less than CPARSE_MAX_PACKSTACK, but then cp->packstack is accessed at cp->curpack + 1, which is out of bounds, so cp->curpack value is overwritten.

The following example demonstrates the issue:

src/luajit -e "
local ffi = require 'ffi'
ffi.cdef[[
#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 8)
#pragma pack(push, 8)
#pragma pack(push, 8)
#pragma pack(pop)
struct test {uint64_t a; uint8_t b;};
]]

-- Expected 16, got 9.
print(ffi.sizeof(ffi.new('struct test')))
"
9

For the reference, the C example (named /tmp/t.c):

#include <stdio.h>
#include <stdint.h>

#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 1)
#pragma pack(push, 8)
#pragma pack(push, 8)
#pragma pack(push, 8)
#pragma pack(pop)

struct test {uint64_t a; uint8_t b;};

int main(void)
{
        printf("%lu\n", sizeof(struct test));
        return 0;
}

yields as expected 16:

gcc -O0 -ggdb3 -g /tmp/t.c -o /tmp/t.exe && /tmp/t.exe
16

The following trivial patch fixes the issue (since the previous value is taken):

diff --git a/src/lj_cparse.c b/src/lj_cparse.c
index 6c3bb2f9..7963590d 100644
--- a/src/lj_cparse.c
+++ b/src/lj_cparse.c
@@ -1766,7 +1766,7 @@ static void cp_pragma(CPState *cp, BCLine pragmaline)
     cp_check(cp, '(');
     if (cp->tok == CTOK_IDENT) {
       if (cp_str_is(cp->str, "push")) {
-        if (cp->curpack < CPARSE_MAX_PACKSTACK) {
+        if (cp->curpack + 1 < CPARSE_MAX_PACKSTACK) {
           cp->packstack[cp->curpack+1] = cp->packstack[cp->curpack];
           cp->curpack++;
         }

But maybe it's better to throw an error in the case of the curpack overflow (since the behaviour when we overwrite the top stack slot value isn't very obvious)?

[MikePall]

Fixed. Thanks!