Fix overflow check in unpack().

Thanks to HybridDog.
author: Mike Pall <mike> 2020-04-28 17:52:28 +0200
committer: Mike Pall <mike> 2020-04-28 17:52:28 +0200
commit: 179cf2eb84fef2b9a524469c3c8cc49363b8fb10 (patch)
tree: 1611274769c6c167af6a43ad92fa4aa3decf3c49 /src/lib_base.c
parent: db0b7ec194f9535c292a6084bd4bf57e9baf8b7e (diff)
download: luajit2-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib_base.c b/src/lib_base.c
index dae61fe1..99f7b44a 100644
--- a/src/lib_base.c
+++ b/src/lib_base.c
@@ -219,9 +219,11 @@ LJLIB_CF(unpack)
   int32_t n, i = lj_lib_optint(L, 2, 1);
   int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ?
 	      lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t);
+  uint32_t nu;
   if (i > e) return 0;
-  n = e - i + 1;
-  if (n <= 0 || !lua_checkstack(L, n))
+  nu = (uint32_t)e - (uint32_t)i;
+  n = (int32_t)(nu+1);
+  if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n))
     lj_err_caller(L, LJ_ERR_UNPACK);
   do {
     cTValue *tv = lj_tab_getint(t, i);
author	Mike Pall <mike>	2020-04-28 17:52:28 +0200
committer	Mike Pall <mike>	2020-04-28 17:52:28 +0200
commit	179cf2eb84fef2b9a524469c3c8cc49363b8fb10 (patch)
tree	1611274769c6c167af6a43ad92fa4aa3decf3c49 /src/lib_base.c
parent	db0b7ec194f9535c292a6084bd4bf57e9baf8b7e (diff)
download	luajit2-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.tar.gz