Skip to content

Commit 5ccb6f7

Browse files
committed
Security: more cmsgpack fixes by @soloestoy.
@soloestoy sent me this additional fixes, after searching for similar problems to the one reported in mp_pack(). I'm committing the changes because it was not possible during to make a public PR to protect Redis users and give Redis providers some time to patch their systems.
1 parent 1eb08bc commit 5ccb6f7

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Diff for: deps/lua/src/lua_cmsgpack.c

+7
Original file line numberDiff line numberDiff line change
@@ -385,6 +385,7 @@ void mp_encode_lua_table_as_array(lua_State *L, mp_buf *buf, int level) {
385385
#endif
386386

387387
mp_encode_array(L,buf,len);
388+
luaL_checkstack(L, 1, "in function mp_encode_lua_table_as_array");
388389
for (j = 1; j <= len; j++) {
389390
lua_pushnumber(L,j);
390391
lua_gettable(L,-2);
@@ -400,6 +401,7 @@ void mp_encode_lua_table_as_map(lua_State *L, mp_buf *buf, int level) {
400401
* Lua API, we need to iterate a first time. Note that an alternative
401402
* would be to do a single run, and then hack the buffer to insert the
402403
* map opcodes for message pack. Too hackish for this lib. */
404+
luaL_checkstack(L, 3, "in function mp_encode_lua_table_as_map");
403405
lua_pushnil(L);
404406
while(lua_next(L,-2)) {
405407
lua_pop(L,1); /* remove value, keep key for next iteration. */
@@ -522,6 +524,7 @@ int mp_pack(lua_State *L) {
522524
for(i = 1; i <= nargs; i++) {
523525
/* Copy argument i to top of stack for _encode processing;
524526
* the encode function pops it from the stack when complete. */
527+
luaL_checkstack(L, 1, "in function mp_check");
525528
lua_pushvalue(L, i);
526529

527530
mp_encode_lua_type(L,buf,0);
@@ -550,6 +553,7 @@ void mp_decode_to_lua_array(lua_State *L, mp_cur *c, size_t len) {
550553
int index = 1;
551554

552555
lua_newtable(L);
556+
luaL_checkstack(L, 1, "in function mp_decode_to_lua_array");
553557
while(len--) {
554558
lua_pushnumber(L,index++);
555559
mp_decode_to_lua_type(L,c);
@@ -824,6 +828,9 @@ int mp_unpack_full(lua_State *L, int limit, int offset) {
824828
* subtract the entire buffer size from the unprocessed size
825829
* to get our next start offset */
826830
int offset = len - c.left;
831+
832+
luaL_checkstack(L, 1, "in function mp_unpack_full");
833+
827834
/* Return offset -1 when we have have processed the entire buffer. */
828835
lua_pushinteger(L, c.left == 0 ? -1 : offset);
829836
/* Results are returned with the arg elements still

0 commit comments

Comments
 (0)