Re: heap-buffer-overflow in luaY

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: heap-buffer-overflow in luaY_parser
From: Philipp Janda <siffiejoe@...>
Date: Fri, 17 Jul 2015 22:09:28 +0200

Am 17.07.2015 um 19:57 schröbte Karl Skomski:

I played around with lua + libfuzzer and can't continue because it always
stops because of the sheer numbers of luaL_loadbuffer calls results into a
heap-buffer-overflow.

#include <stdlib.h>

#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"

unsigned long long  persist_cnt;

int main(int argc, char** argv) {
   lua_State* L = luaL_newstate();

   unsigned long long persist_max = getenv("PERSIST_MAX") ?
     strtoull(getenv("PERSIST_MAX"), 0, 0) : 1010000;

try_again:
   luaL_loadbuffer(L, 0, 0, "stdin");

You should add a `printf("stack top: %d\n", lua_gettop(L));` here, andcheck the manual section[1] on stack size afterwards.


   if (persist_cnt++ < persist_max) {
     goto try_again;
   }

   lua_close(L);

   return 0;
}


Kind regards,

Karl Skomski


Philipp

  [1]: http://www.lua.org/manual/5.3/manual.html#4.2

Follow-Ups:
- Re: heap-buffer-overflow in luaY_parser, Karl Skomski

References:
- heap-buffer-overflow in luaY_parser, Karl Skomski

Prev by Date: Re: What's next for Ravi
Next by Date: Re: heap-buffer-overflow in luaY_parser
Previous by thread: heap-buffer-overflow in luaY_parser
Next by thread: Re: heap-buffer-overflow in luaY_parser
Index(es):
- Date
- Thread