diff --git a/.gitignore b/.gitignore index 2702e8e6..0825eb88 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ __pycache__ *.rej /fuzz/corpus/json/* !/fuzz/corpus/json/*.json +*.code-workspace diff --git a/VM/src/ares.cpp b/VM/src/ares.cpp index 89e66818..4a277686 100644 --- a/VM/src/ares.cpp +++ b/VM/src/ares.cpp @@ -1780,6 +1780,9 @@ u_proto(Info *info) { /* ... proto */ for (i=0; isizeyieldpoints; ++i) { p->yieldpoints[i] = READ_VALUE(int32_t); + if (p->yieldpoints[i] < 0 || p->yieldpoints[i] >= p->sizecode) { + eris_error(info, "malformed data: invalid yield point"); + } } // Assign bytecodeid at the end after all dangerous unpersist calls @@ -2268,8 +2271,6 @@ p_thread(Info *info) { /* ... thread */ // PC relative to the start of the code int64_t pc_offset = ci->savedpc - lcl->l.p->code; - // the PC had better be in bounds. - eris_assert(pc_offset >= 0 && pc_offset < lcl->l.p->sizecode); int yield_point = -1; for (int j = 0; j< lcl->l.p->sizeyieldpoints; ++j) { diff --git a/VM/src/lvmload.cpp b/VM/src/lvmload.cpp index 2038184e..d48c5c81 100644 --- a/VM/src/lvmload.cpp +++ b/VM/src/lvmload.cpp @@ -602,6 +602,19 @@ static int loadsafe( for (int j = 0; j < num_yields; ++j) { p->yieldpoints[j] = readVarInt(data, size, offset); + if (p->yieldpoints[j] < 0 || p->yieldpoints[j] >= p->sizecode) + { + char chunkbuf[LUA_IDSIZE]; + const char* chunkid = luaO_chunkid(chunkbuf, sizeof(chunkbuf), chunkname, strlen(chunkname)); + lua_pushfstring( + L, + "%s: malformed bytecode: invalid yield point %d in proto %d", + chunkid, + p->yieldpoints[j], + i + ); + return 1; + } } protos[i] = p; diff --git a/build-cmd.sh b/build-cmd.sh old mode 100644 new mode 100755 diff --git a/init_debian_buster.sh b/init_debian_buster.sh old mode 100644 new mode 100755