 |
lua-l archive |
|
|
||
|
| hi! while doing static code analyze with smatch, the following issue is reported: /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/smatch: ../../common/fs/zfs/lua/llex.c:76 luaX_token2str() error: buffer overflow 'luai_ctype_' 257 <= 257 meaning, it is possible, we would attempt to read memory with luai_ctype_[257]. This can happen despite the check ‘if (token < FIRST_RESERVED)’ because of call lisprint(token + 1). The simple idea of fix would be: --- a/usr/src/uts/common/fs/zfs/lua/llex.c +++ b/usr/src/uts/common/fs/zfs/lua/llex.c @@ -71,7 +71,7 @@ void luaX_init (lua_State *L) { const char *luaX_token2str (LexState *ls, int token) { - if (token < FIRST_RESERVED) { /* single-byte symbols? */ + if (token < FIRST_RESERVED - 1) { /* single-byte symbols? */ lua_assert(token == cast(unsigned char, token)); return (lisprint(token)) ? luaO_pushfstring(ls->L, LUA_QL("%c"), token) : luaO_pushfstring(ls->L, "char(%d)", token); but I’m not too familiar about lua internals, so it might not be quite correct… rgds, toomas |