Buffer over-read in l

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Buffer over-read in l_strcmp
From: Xmilia Hermit <xmilia.hermit@...>
Date: Fri, 9 Jun 2023 02:03:45 +0200

Hi,

I found a buffer over-read in l_strcmp. The function uses strcoll butdoes not account for the possibility that two strings with differentlengths can result in a zero retrun from strcoll. To account for zerosin Lua strings the strlen from one of the strings is taken and assumedto be the length to a zero character in both strings, but this might notbe the case and can result in a segmentation fault.

For the following example to work the km_KH.UTF-8 locale needs to beinstalled on the system.


assert(os.setlocale("km_KH.UTF-8") == "km_KH.UTF-8", "Locale not installed")
local A = "\u{17A4}";
local B = "\u{17A2}\u{17B6}";
assert(A <= B and B <= A, "Strings should be equal")
print(string.rep(B, 100000) .. "\0" < string.rep(A, 100000))

Regards,
Xmilia

Follow-Ups:
- Re: Buffer over-read in l_strcmp, Andrew Gierth
- Re: Buffer over-read in l_strcmp, Roberto Ierusalimschy

Prev by Date: Re: Help getting function name inside "freeobj"
Next by Date: Re: Buffer over-read in l_strcmp
Previous by thread: Re: Help getting function name inside "freeobj"
Next by thread: Re: Buffer over-read in l_strcmp
Index(es):
- Date
- Thread