diff options
author | Mike Pall <mike> | 2020-04-28 17:52:28 +0200 |
---|---|---|
committer | Mike Pall <mike> | 2020-04-28 17:52:28 +0200 |
commit | 179cf2eb84fef2b9a524469c3c8cc49363b8fb10 (patch) | |
tree | 1611274769c6c167af6a43ad92fa4aa3decf3c49 /src/lib_base.c | |
parent | db0b7ec194f9535c292a6084bd4bf57e9baf8b7e (diff) | |
download | luajit2-179cf2eb84fef2b9a524469c3c8cc49363b8fb10.tar.gz |
Fix overflow check in unpack().
Thanks to HybridDog.
Diffstat (limited to 'src/lib_base.c')
-rw-r--r-- | src/lib_base.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib_base.c b/src/lib_base.c index dae61fe1..99f7b44a 100644 --- a/src/lib_base.c +++ b/src/lib_base.c @@ -219,9 +219,11 @@ LJLIB_CF(unpack) int32_t n, i = lj_lib_optint(L, 2, 1); int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ? lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t); + uint32_t nu; if (i > e) return 0; - n = e - i + 1; - if (n <= 0 || !lua_checkstack(L, n)) + nu = (uint32_t)e - (uint32_t)i; + n = (int32_t)(nu+1); + if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n)) lj_err_caller(L, LJ_ERR_UNPACK); do { cTValue *tv = lj_tab_getint(t, i); |