<HTML><BODY><div>Hi, Sergey!</div><div>Thanks for the patch!</div><div>Please consider my comments below:</div><div> </div><blockquote style="border-left:1px solid #0857A6; margin:10px; padding:0 0 0 10px;">from Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>:<br> <div id=""><div class="js-helper js-readmsg-msg"><div><div id="style_16612421880825487858_BODY">From: Mike Pall <mike><br><br>Thanks to HybridDog.<br><br>When build with optimization compiler may throw away overflow check in<br>`unpack()` base library function.</div></div></div></div></blockquote><div>Typo: s/build with optimization/built with optimization,</div><div><span style="font-family: var(--vkui--octavius_font_family_mac,var(--vkui--font_family_base,Helvetica,Arial,sans-serif)); letter-spacing: var(--vkui--font_text--letter_spacing--regular,normal);">Also, </span><span style="color: rgb(37, 37, 37); font-family: var(--vkui--octavius_font_family_mac,var(--vkui--font_family_base,Helvetica,Arial,sans-serif)); letter-spacing: var(--vkui--font_text--letter_spacing--regular,normal);">I think we should mention the specific optimization that causes the mentioned behavior</span><div style="color:#252525">since it is not mentioned in both the LuaJIT’s issue and the original Lua issue.</div></div><blockquote style="border-left:1px solid #0857A6; margin:10px; padding:0 0 0 10px;"><div><div class="js-helper js-readmsg-msg"><div><div><br>This patch prevents aforementioned error by comparing the unsigned<br>amount of values to unpack with `LUAI_MAXCSTACK` instead of 0.<br><br>Sergey Kaplun:<br>* added the description and the test for the problem<br><br>Part of tarantool/tarantool#7230<br>---<br><br>Issue/PR:<br>* <a href="https://github.com/LuaJIT/LuaJIT/pull/574" target="_blank">https://github.com/LuaJIT/LuaJIT/pull/574</a><br>* <a href="https://github.com/tarantool/tarantool/issues/7230" target="_blank">https://github.com/tarantool/tarantool/issues/7230</a><br>Branch: <a href="https://github.com/tarantool/luajit/tree/skaplun/lj-574-overflow-unpack-full-ci" target="_blank">https://github.com/tarantool/luajit/tree/skaplun/lj-574-overflow-unpack-full-ci</a><br>PR: <a href="https://github.com/tarantool/tarantool/pull/7596" target="_blank">https://github.com/tarantool/tarantool/pull/7596</a><br><br> src/lib_base.c | 6 ++++--<br> test/tarantool-tests/lj-574-overflow-unpack.test.lua | 12 ++++++++++++<br> 2 files changed, 16 insertions(+), 2 deletions(-)<br> create mode 100644 test/tarantool-tests/lj-574-overflow-unpack.test.lua<br><br>diff --git a/src/lib_base.c b/src/lib_base.c<br>index 613a1859..cf57b4f2 100644<br>--- a/src/lib_base.c<br>+++ b/src/lib_base.c<br>@@ -224,9 +224,11 @@ LJLIB_CF(unpack)<br>   int32_t n, i = lj_lib_optint(L, 2, 1);<br>   int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ?<br>  lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t);<br>+ uint32_t nu;<br>   if (i > e) return 0;<br>- n = e - i + 1;<br>- if (n <= 0 || !lua_checkstack(L, n))<br>+ nu = (uint32_t)e - (uint32_t)i;<br>+ n = (int32_t)(nu+1);<br>+ if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n))<br>     lj_err_caller(L, LJ_ERR_UNPACK);<br>   do {<br>     cTValue *tv = lj_tab_getint(t, i);<br>diff --git a/test/tarantool-tests/lj-574-overflow-unpack.test.lua b/test/tarantool-tests/lj-574-overflow-unpack.test.lua<br>new file mode 100644<br>index 00000000..6715d947<br>--- /dev/null<br>+++ b/test/tarantool-tests/lj-574-overflow-unpack.test.lua<br>@@ -0,0 +1,12 @@<br>+local tap = require('tap')<br>+<br>+-- Test file to demonstrate integer overflow in the `unpack()`<br>+-- function due to compiler optimization.<br>+-- See also <a href="https://github.com/LuaJIT/LuaJIT/pull/574" target="_blank">https://github.com/LuaJIT/LuaJIT/pull/574</a>.<br>+local test = tap.test('lj-574-overflow-unpack')<br>+test:plan(1)<br>+<br>+local r, e = pcall(unpack, {}, 0, 2^31 - 1)<br>+test:ok(not r and e == 'too many results to unpack', 'overflow check in unpack')<br>+<br>+os.exit(test:check() and 0 or 1)<br>--<br>2.34.1</div></div></div></div></blockquote><div><div>--<br>Best regards,</div><div>Maxim Kokryashkin</div></div></BODY></HTML>