lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

>    I found a heap a heap buffer overflow on read in luaH_getshortstr
>    function.
>     
>    Lua version:
>    Lua 5.4.4  Copyright (C) 1994-2022 Lua.org, PUC-Rio (commit
>    5d708c3f9cae12820e415d4f89c9eacbe2ab964b)
>     
>    How to reprocude:
>    ----------
>    1. git clone https://github.com/lua/lua -q
>    2. cd lua/ && make -j$(nproc)
>    3. echo -n
>    "bG9jYWwgdSxfLE4sXyx3LE4sZCxXCmZ1bmN0aW9uIGMoRSxMLGwsUyxULHUsTSxULGwsaCxoLHUsdSxsLGgsaCx1LHUsTSx1LHUsdSxsLGgsaCxsKXM9cyBsb2NhbAllLGUsXyxfLE4sZSxzMCxOLFYsXyBmdW5jdGlvbiBjKGIsbClpLHM9TiBsb2NhbCBjIGxvY2FsIF9FTlY8Y29uc3Q+ID0wIG89MCBmdW5jdGlvbiBlKCllbmQ7ZSIicmV0dXJuIGVuZDtlMCxhLHcscyxzLHM9IiJyZXR1cm4jYyIiZW5kO2VlPSIicmV0dXJuDGMiIg=="
>    | base64 -d > poc
>    4. ./lua ./poc
>    ----------

Thanks for the report. It seems there is a 'luaK_exp2anyregup' missing
in 'singlevar':

--- a/lparser.c
+++ b/lparser.c
@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
     expdesc key;
     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
     lua_assert(var->k != VVOID);  /* this one must exist */
+    luaK_exp2anyregup(fs, var);  /* but could be a constant */
     codestring(&key, varname);  /* key is variable name */
     luaK_indexed(fs, var, &key);  /* env[varname] */
   }


How did you find this bug?

-- Roberto