lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I found a buffer over-read in l_strcmp. The function uses strcoll but does not account for the possibility that two strings with different lengths can result in a zero retrun from strcoll. To account for zeros in Lua strings the strlen from one of the strings is taken and assumed to be the length to a zero character in both strings, but this might not be the case and can result in a segmentation fault.

For the following example to work the km_KH.UTF-8 locale needs to be installed on the system.

assert(os.setlocale("km_KH.UTF-8") == "km_KH.UTF-8", "Locale not installed")
local A = "\u{17A4}";
local B = "\u{17A2}\u{17B6}";
assert(A <= B and B <= A, "Strings should be equal")
print(string.rep(B, 100000) .. "\0" < string.rep(A, 100000))