[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Potential Null Pointer Dereference in resizebox method from lauxlib.c
- From: 云风 <cloudwu@...>
- Date: Sat, 22 Jul 2023 11:24:40 +0800
But resizebox is a static function, it’s used only by luaL_Buffer, and user cannot call it directly.
发自我的 iPhone
> 在 2023年7月22日,10:08,Yongchao Wang <chaowyc@gmail.com> 写道:
>
>
> Hi all,
> We have detected that the resizebox method may trigger a null pointer dereference. Here is a possible vulnerable trace:
>
> 1. Return null to caller at lapi.c:457
> // From lapi.c
> l_sinline void *touserdata (const TValue *o) {
> switch (ttype(o)) {
> case LUA_TUSERDATA: return getudatamem(uvalue(o));
> case LUA_TLIGHTUSERDATA: return pvalue(o);
> default: return NULL; // line 457 Return null
> }
> }
> 2. Return the return value of function touserdata, could be null, to caller at lapi.c:462.
> //From lapi.c
> LUA_API void *lua_touserdata (lua_State *L, int idx) {
> const TValue *o = index2value(L, idx);
> return touserdata(o); // line 462 Return null
> }
>
> 3. Function lua_touserdata executes and stores the return value to box (box can be null) at lauxlib.c:476
> and load value from box->size at lauxlib.c:477, which will lead to null pointer dereference
> // From lauxlib.c
> static void *resizebox (lua_State *L, int idx, size_t newsize) {
> void *ud;
> lua_Alloc allocf = lua_getallocf(L, &ud);
> UBox *box = (UBox *)lua_touserdata(L, idx); // line 476 box could be null
> void *temp = allocf(ud, box->box, box->bsize, newsize); // line 477 dereference box
> if (l_unlikely(temp == NULL && newsize > 0)) { /* allocation error? */
> lua_pushliteral(L, "not enough memory");
> lua_error(L); /* raise a memory error */
> }
> box->box = temp;
> box->bsize = newsize;
> return temp;
> }
>
> This could lead to a program crash or other unwanted behavior. Please fix it as soon as possible.
> Best
> Yongchao
