lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]





Am 25.03.2011 um 05:19 schrieb Ricardo Ramos Massaro <ricardo.massaro@gmail.com>:

> \On Thu, Mar 24, 2011 at 7:44 PM, Alexander Gladysh <agladysh@gmail.com> wrote:
>> On Fri, Mar 25, 2011 at 01:35, Peter Cawley <lua@corsix.org> wrote:
>>> On Thu, Mar 24, 2011 at 10:28 PM, Daurnimator <quae@daurnimator.com> wrote:
>>>> Is there something wrong with
>>>>        int params = lua_gettop(L);
>>>>        char **argv = malloc(params);
>>>>        int i;
>>>>        for (i=1;i<=params;i++) {
>>>>                argv[i-1]=luaL_checkstring(L,i);
>>>>        }
>> 
>>> Yes:
>>> 1. The call to malloc may fail and return NULL, thus causing invalid
>>> memory access on "argv[i-1]".
>>> 2. The calls to luaL_checkstring may throw errors, thus leaking the
>>> memory allocated for "argv".
>> 
>> 3. It bypasses allocator that Lua state uses.
> 
> 4. It passes the wrong size to malloc(), it should be "params*sizeof(char*)"

that is wrong, too. don't multiply in malloc, it can lead to (exploitable) security problems,
rather use calloc(params, sizeof (char *))

> 
> - Ricardo
>