Re: luaX_token2str() error: buffer overflow 'luai_ctype

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: luaX_token2str() error: buffer overflow 'luai_ctype_'
From: Toomas Soome <tsoome@...>
Date: Wed, 9 Sep 2020 15:15:26 +0300

On 9. Sep 2020, at 14:42, Luiz Henrique de Figueiredo <lhf@tecgraf.puc-rio.br> wrote:

it is possible, we would attempt to read memory with luai_ctype_[257]

llex returns single-byte tokens (at most 255) or composite tokens
starting at FIRST_RESERVED, which is 257. Therefore, a token is never
256 and luai_ctype_[257] is never read.

Yes, You know that, compiler does not. Compiler only does know that we enter luaX_token2str(LexState *ls, int token) and int is 32-bit value, meaning that it is possible to construct code path with token == 256, and in such case, we read outside array bounds.

So, as the assumption is that 256 is impossible value, we can set up assert or condition to test that value.

rgds,

toomas

Follow-Ups:
- Re: luaX_token2str() error: buffer overflow 'luai_ctype_', Luiz Henrique de Figueiredo

References:
- luaX_token2str() error: buffer overflow 'luai_ctype_', Toomas Soome
- Re: luaX_token2str() error: buffer overflow 'luai_ctype_', Luiz Henrique de Figueiredo

Prev by Date: Re: luaX_token2str() error: buffer overflow 'luai_ctype_'
Next by Date: Re: luaX_token2str() error: buffer overflow 'luai_ctype_'
Previous by thread: Re: luaX_token2str() error: buffer overflow 'luai_ctype_'
Next by thread: Re: luaX_token2str() error: buffer overflow 'luai_ctype_'
Index(es):
- Date
- Thread