diff options
| author | Sun He <sunheehnus@gmail.com> | 2015-12-13 13:47:22 +0800 |
|---|---|---|
| committer | Sun He <sunheehnus@gmail.com> | 2015-12-13 13:47:22 +0800 |
| commit | 3a47c8cfb85af1b69cccf30eaaa690e4a23ab20a (patch) | |
| tree | 9ce47f7bf9adc9c25f7f60b4c237ca920624abc4 /deps/lua | |
| parent | 69897f5f30398f313497a695344aa9ed08919441 (diff) | |
| download | redis-3a47c8cfb85af1b69cccf30eaaa690e4a23ab20a.tar.gz | |
lua_struct.c/getnum: throw error if overflow happen
Fix issue #2855
Diffstat (limited to 'deps/lua')
| -rw-r--r-- | deps/lua/src/lua_struct.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c index ec78bcbc0..a602bb430 100644 --- a/deps/lua/src/lua_struct.c +++ b/deps/lua/src/lua_struct.c @@ -89,12 +89,14 @@ typedef struct Header { } Header; -static int getnum (const char **fmt, int df) { +static int getnum (lua_State *L, const char **fmt, int df) { if (!isdigit(**fmt)) /* no number? */ return df; /* return default value */ else { int a = 0; do { + if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0'))) + luaL_error(L, "integral size overflow"); a = a*10 + *((*fmt)++) - '0'; } while (isdigit(**fmt)); return a; @@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) { case 'f': return sizeof(float); case 'd': return sizeof(double); case 'x': return 1; - case 'c': return getnum(fmt, 1); + case 'c': return getnum(L, fmt, 1); case 'i': case 'I': { - int sz = getnum(fmt, sizeof(int)); + int sz = getnum(L, fmt, sizeof(int)); if (sz > MAXINTSIZE) luaL_error(L, "integral size %d is larger than limit of %d", sz, MAXINTSIZE); @@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt, case '>': h->endian = BIG; return; case '<': h->endian = LITTLE; return; case '!': { - int a = getnum(fmt, MAXALIGN); + int a = getnum(L, fmt, MAXALIGN); if (!isp2(a)) luaL_error(L, "alignment %d is not a power of 2", a); h->align = a; |