large allocation with 'io.read' function

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: large allocation with 'io.read' function
From: "op7ic \\x00" <op7ica@...>
Date: Fri, 3 Mar 2017 11:03:55 +0000

version: lua 5.3.4

Howdy,

I`m not this is really a bug or not but probably something worth
looking at (?). Basically it looks that asking for very large
allocation of memory (59GB in case below) will happily be accepted by
Lua. This leads of pretty much system halt because eventually the
system will run out of memory.

If you run this code in Lua interpreter it will attempt to allocate
59GB of memory:

io.read(59e+9)--


The actual code will attempt to allocate the buffer before it checks
for size of available memory and thus result in quite a big system
hang. In particular 'newsize' parameter is just taken straight in as
io.read parameter and thus never really sanitized:

 461 static void *resizebox (lua_State *L, int idx, size_t newsize) {
 462   void *ud;
 463   lua_Alloc allocf = lua_getallocf(L, &ud);
 464   UBox *box = (UBox *)lua_touserdata(L, idx);
 465   void *temp = allocf(ud, box->box, box->bsize, newsize);
 466   if (temp == NULL && newsize > 0) {  /* allocation error? */
 467     resizebox(L, idx, 0);  /* free buffer */
 468     luaL_error(L, "not enough memory for buffer allocation");
 469   }

Lua doesn't crash just hags as a result ..

Follow-Ups:
- Re: large allocation with 'io.read' function, Dirk Laurie

Prev by Date: Re: Possible Hex Literal Parsing Bug
Next by Date: Possible "inconsistent" reference to gettable_event in reference manual
Previous by thread: [ANN] Lua in Moscow 2017 conference is this Sunday! Schedule and Saturday pre-party
Next by thread: Re: large allocation with 'io.read' function
Index(es):
- Date
- Thread