From 70c4345dbc19c2e304d8d481ccb391990b61c425 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 13 Aug 2021 08:11:00 +0200 Subject: [PATCH] BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage functions In Channel and HTTPMessage classes, several functions uses an offset that may be negative to start from the end of incoming data. But, after calculation, the offset must never be negative. However, there is a bug because of a bad cast to unsigned when "input + offset" is performed. The result must be a signed integer. This patch should fix most of defects reported in the issue #1347. It only affects 2.5-dev. No backport needed. --- src/hlua.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/hlua.c b/src/hlua.c index be95a97..717380c 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -3120,7 +3120,7 @@ __LJMP static int hlua_channel_get_data_yield(lua_State *L, int status, lua_KCon if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3183,7 +3183,7 @@ __LJMP static int hlua_channel_get_line_yield(lua_State *L, int status, lua_KCon if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3519,9 +3519,8 @@ __LJMP static int hlua_channel_insert_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -3579,7 +3578,7 @@ __LJMP static int hlua_channel_set_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3653,7 +3652,7 @@ __LJMP static int hlua_channel_del_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -6478,7 +6477,7 @@ __LJMP static int hlua_http_msg_get_body(lua_State *L) if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -6596,9 +6595,8 @@ __LJMP static int hlua_http_msg_insert_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -6639,9 +6637,8 @@ __LJMP static int hlua_http_msg_del_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -6701,7 +6698,7 @@ __LJMP static int hlua_http_msg_set_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); -- 1.7.10.4