From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 93E5F2478C for ; Thu, 24 Jan 2019 16:27:08 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvZmvb656JPS for ; Thu, 24 Jan 2019 16:27:08 -0500 (EST) Received: from smtpng3.m.smailru.net (smtpng3.m.smailru.net [94.100.177.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 50B24246D9 for ; Thu, 24 Jan 2019 16:27:08 -0500 (EST) Subject: [tarantool-patches] Re: [PATCH v2 1/3] lua-yaml: verify arguments count References: <58ccdb031d0befd0e80d50a4684f5e7a59182062.1548123025.git.alexander.turenko@tarantool.org> From: Vladislav Shpilevoy Message-ID: <04a54285-aa7c-2726-0077-64c14a40dde6@tarantool.org> Date: Fri, 25 Jan 2019 00:26:53 +0300 MIME-Version: 1.0 In-Reply-To: <58ccdb031d0befd0e80d50a4684f5e7a59182062.1548123025.git.alexander.turenko@tarantool.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: tarantool-patches-bounce@freelists.org Errors-to: tarantool-patches-bounce@freelists.org Reply-To: tarantool-patches@freelists.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: tarantool-patches List-subscribe: List-owner: List-post: List-archive: To: tarantool-patches@freelists.org, Alexander Turenko Cc: AKhatskevich Thanks for the patch! On 22/01/2019 05:12, Alexander Turenko wrote: > From: AKhatskevich > > Added arguments count check for yaml.encode() and decode.decode() Typo: 'decode.decode' -> 'yaml.decode'. > functions. > > Without these checks the functions could read garbage outside of a Lua > stack when called w/o arguments. Honestly, I do not understand how is it possible. Please, provide a test for both functions. See my 3 doubts below. > --- > third_party/lua-yaml/lyaml.cc | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/third_party/lua-yaml/lyaml.cc b/third_party/lua-yaml/lyaml.cc > index c6d118a79..9b07992d8 100644 > --- a/third_party/lua-yaml/lyaml.cc > +++ b/third_party/lua-yaml/lyaml.cc > @@ -400,7 +400,8 @@ static void load(struct lua_yaml_loader *loader) { > */ > static int l_load(lua_State *L) { > struct lua_yaml_loader loader; > - if (! lua_isstring(L, 1)) { > + int top = lua_gettop(L); > + if (!(top == 1 || top == 2) || !lua_isstring(L, 1)) { 1. How could the old code lead to a bug, if there was a check if the first argument is a string? The second argument is not used until the next hunk, about which see my next comment > usage_error: > return luaL_error(L, "Usage: yaml.decode(document, "\ > "[{tag_only = boolean}])"); > @@ -416,7 +417,7 @@ usage_error: > return luaL_error(L, OOM_ERRMSG); > yaml_parser_set_input_string(&loader.parser, (yaml_char_t *) document, len); > bool tag_only; > - if (lua_gettop(L) > 1) { > + if (lua_gettop(L) == 2) { 2. This function never touches anything beyond second value on the stack, so here lua_gettop(L) > 1 means the same as lua_gettop(L) == 2 - the second argument exist. Third and next values do not matter. > if (! lua_istable(L, 2)) > goto usage_error; > lua_getfield(L, 2, "tag_only"); > @@ -794,7 +795,7 @@ error: > static int l_dump(lua_State *L) { > struct luaL_serializer *serializer = luaL_checkserializer(L); > int top = lua_gettop(L); > - if (top > 2) { > + if (!(top == 1 || top == 2)) { 3. Here my reasoning is the same - the previous checking works as well. > usage_error: > return luaL_error(L, "Usage: encode(object, {tag_prefix = , "\ > "tag_handle = })"); >