lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


hi!

while doing static code analyze with smatch, the following issue is reported:

    /code/illumos-gate/usr/src/tools/proto/root_i386-nd/opt/onbld/bin/i386/smatch: ../../common/fs/zfs/lua/llex.c:76 luaX_token2str() error: buffer overflow 'luai_ctype_' 257 <= 257

meaning, it is possible, we would attempt to read memory with luai_ctype_[257]. This can happen despite the check ‘if (token < FIRST_RESERVED)’ because of call lisprint(token + 1).

The simple idea of fix would be:

--- a/usr/src/uts/common/fs/zfs/lua/llex.c
+++ b/usr/src/uts/common/fs/zfs/lua/llex.c
@@ -71,7 +71,7 @@ void luaX_init (lua_State *L) {

 

 

 const char *luaX_token2str (LexState *ls, int token) {
-  if (token < FIRST_RESERVED) {  /* single-byte symbols? */
+  if (token < FIRST_RESERVED - 1) {  /* single-byte symbols? */
     lua_assert(token == cast(unsigned char, token));
     return (lisprint(token)) ? luaO_pushfstring(ls->L, LUA_QL("%c"), token) :
                               luaO_pushfstring(ls->L, "char(%d)", token);

but I’m not too familiar about lua internals, so it might not be quite correct…

rgds,
toomas