Re: heap-buffer-overflow in luaY_parser

[Karl Skomski <karl@...>]

Thanks fixed everything with lua_pop.

Kind regards,

Karl Skomski

On Fri, Jul 17, 2015 at 10:09 PM, Philipp Janda <siffiejoe@gmx.net> wrote:

Am 17.07.2015 um 19:57 schröbte Karl Skomski:

I played around with lua + libfuzzer and can't continue because it always
stops because of the sheer numbers of luaL_loadbuffer calls results into a
heap-buffer-overflow.

#include <stdlib.h>

#include "lua.h"
#include "lauxlib.h"
#include "lualib.h"

unsigned long long  persist_cnt;

int main(int argc, char** argv) {
   lua_State* L = luaL_newstate();

   unsigned long long persist_max = getenv("PERSIST_MAX") ?
     strtoull(getenv("PERSIST_MAX"), 0, 0) : 1010000;

try_again:
   luaL_loadbuffer(L, 0, 0, "stdin");

You should add a `printf("stack top: %d\n", lua_gettop(L));` here, and check the manual section[1] on stack size afterwards.

   if (persist_cnt++ < persist_max) {
     goto try_again;
   }

   lua_close(L);

   return 0;
}


Kind regards,

Karl Skomski

Philipp

  [1]: http://www.lua.org/manual/5.3/manual.html#4.2