lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

As far as I know, this bug is known in older versions of Lua, and fixed in 5.3.4 and later versions by using unsigned integers for the pivot in `unbound_search` and `luaH_getn` [1].

As you can see there is an explicit overflow check in `unbound_search` before computing the pivot. For `auxsort`, the same check is performed in `sort` before calling it.

For `countlevels`, it doesn't  exist anymore (replaced by `lastlevel` in 5.3.2) and I don't think this can possibly overflow in general since indices are bounded by the size of the stack, which is much less than `INT_MAX / 2`. *Maybe* it is possible to make it overflow in theory by changing `LUAI_MAXSTACK` in `luaconf.h` though?


Pierre Chapuis

On Mon, Jul 16, 2018, at 07:45, Dmitry wrote:

I checked a new version 5.3.5 of Lua and found overflow bug in four functions.
The older versions of Lua also contain this error.

Affected functions.
   int countlevels (lua_State *L)

   int unbound_search (Table *t, unsigned int j) 
   int luaH_getn (Table *t);

   void auxsort (lua_State *L, TabA *ta, int l, int u)

The bug is very common. This equation leads overflow.
m = (h + l) / 2;

The equation should be rewritten as:
m = l + (h - l) / 2;