[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Found heap-buffer-overflow with grammar-based fuzzer
- From: Roberto Ierusalimschy <roberto@...>
- Date: Wed, 15 Mar 2023 17:04:39 -0300
> > > Loading binary files should be resistant to bad data.
> > I would say that it is not resistant to bad data. Have a look at https://github.com/lua/lua/blob/c4b71b7ba0dee419b5bda1ec297eca8e42c9f1d2/lundump.c#L250-L252
> > were n is loaded and can cause a buffer overflow when it is larger than
> > the allocated upvalues array.
> That seems to be a bug, thanks for the report.
Actually, there is a good chance that it is *the* bug. Although I'm
unable to replicate the buffer overflow, the gsub seems to be
changing the number of upvalues of a closure, so it is reasonable
that a subsequent read of the dubg information (which should have
the same number of upvalues) can cause a buffer overflow.