Skip to content

Commit e89086e

Browse files
committed
Security: fix Lua struct package offset handling.
After the first fix to the struct package I found another similar problem, which is fixed by this patch. It could be reproduced easily by running the following script: return struct.unpack('f', "xxxxxxxxxxxxx",-3) The above will access bytes before the 'data' pointer.
1 parent 5ccb6f7 commit e89086e

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

Diff for: deps/lua/src/lua_struct.c

+6-2
Original file line numberDiff line numberDiff line change
@@ -293,14 +293,18 @@ static int b_unpack (lua_State *L) {
293293
const char *fmt = luaL_checkstring(L, 1);
294294
size_t ld;
295295
const char *data = luaL_checklstring(L, 2, &ld);
296-
size_t pos = luaL_optinteger(L, 3, 1) - 1;
296+
size_t pos = luaL_optinteger(L, 3, 1);
297+
luaL_argcheck(L, pos > 0, 3, "offset must be 1 or greater");
298+
pos--; /* Lua indexes are 1-based, but here we want 0-based for C
299+
* pointer math. */
297300
int n = 0; /* number of results */
298301
defaultoptions(&h);
299302
while (*fmt) {
300303
int opt = *fmt++;
301304
size_t size = optsize(L, opt, &fmt);
302305
pos += gettoalign(pos, &h, opt, size);
303-
luaL_argcheck(L, pos+size <= ld, 2, "data string too short");
306+
luaL_argcheck(L, size <= ld && pos <= ld - size,
307+
2, "data string too short");
304308
/* stack space for item + next position */
305309
luaL_checkstack(L, 2, "too many results");
306310
switch (opt) {

0 commit comments

Comments
 (0)