Skip to content

Commit ef764dd

Browse files
committed
[FIX] revisit CVE-2015-8080 vulnerability
1 parent 9c00bdd commit ef764dd

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

Diff for: deps/lua/src/lua_struct.c

+6-4
Original file line numberDiff line numberDiff line change
@@ -89,12 +89,14 @@ typedef struct Header {
8989
} Header;
9090

9191

92-
static int getnum (const char **fmt, int df) {
92+
static int getnum (lua_State *L, const char **fmt, int df) {
9393
if (!isdigit(**fmt)) /* no number? */
9494
return df; /* return default value */
9595
else {
9696
int a = 0;
9797
do {
98+
if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
99+
luaL_error(L, "integral size overflow");
98100
a = a*10 + *((*fmt)++) - '0';
99101
} while (isdigit(**fmt));
100102
return a;
@@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) {
115117
case 'f': return sizeof(float);
116118
case 'd': return sizeof(double);
117119
case 'x': return 1;
118-
case 'c': return getnum(fmt, 1);
120+
case 'c': return getnum(L, fmt, 1);
119121
case 'i': case 'I': {
120-
int sz = getnum(fmt, sizeof(int));
122+
int sz = getnum(L, fmt, sizeof(int));
121123
if (sz > MAXINTSIZE)
122124
luaL_error(L, "integral size %d is larger than limit of %d",
123125
sz, MAXINTSIZE);
@@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt,
150152
case '>': h->endian = BIG; return;
151153
case '<': h->endian = LITTLE; return;
152154
case '!': {
153-
int a = getnum(fmt, MAXALIGN);
155+
int a = getnum(L, fmt, MAXALIGN);
154156
if (!isp2(a))
155157
luaL_error(L, "alignment %d is not a power of 2", a);
156158
h->align = a;

0 commit comments

Comments
 (0)