Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF
From: Sergey Bronnikov <sergeyb@...>
Date: Thu, 31 Aug 2023 15:42:33 +0300


On 8/31/23 15:32, Roberto Ierusalimschy wrote:

31 августа 2023 г. 12:24:38 GMT+03:00, "云风 Cloud Wu" <cloudwu@gmail.com> пишет:

I updated lua source from https://github.com/lua/lua today, and my
project crashed.

I found the TString is not initialized before getshrstr().

https://github.com/lua/lua/blob/master/lstring.c#L209-L211

I think it should be :

  ts = createstrobj(L, l, LUA_VSHRSTR, h);
  ts->shrlen = cast_byte(l);
  memcpy(getshrstr(ts), str, l * sizeof(char));

The `ts->shrlen` should be initialized before memcpy().

It was reported here
https://marc.info/?l=lua-l&m=169289729129364&w=2

And, as far as we know, it shouldn't cause a crash, but only a failed
assert, if and only if asserts are on (which is not the default).


Absolutely true. I'm enabled LUAI_ASSERT and LUA_USE_APICHECK intentionally,

to make testing more rigorous in fuzzing tests.


-- Roberto

References:
- Bug report : (lstring.c:210) (ts)->shrlen != 0xFF, 云风 Cloud Wu
- Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF, Sergey Bronnikov
- Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF, Roberto Ierusalimschy

Prev by Date: Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF
Next by Date: Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF
Previous by thread: Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF
Next by thread: Re: Bug report : (lstring.c:210) (ts)->shrlen != 0xFF
Index(es):
- Date
- Thread