From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id CA241581FDB; Thu, 17 Aug 2023 13:54:01 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org CA241581FDB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1692269641; bh=YqeFgFO0zuf1U3noX/v/2YNiJwpCeyrEVnoKgYBsnF0=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=RDnXx8pkMqqLJcbO7Biw0Qv/jGwBMS2oyVn1NKYgBJepftyJTR9wew1WSbyXdFfeh ItEHY0HzEcjGN3WdvDUEnxcBCzm4QK0DlsccHbqCmlCfpHDZNlbUOq4WUAFEGWGRYE i8AjWeowpPWoqlDVYcNh/I6Wg0/OjT9yY1VRASio= Received: from smtp59.i.mail.ru (smtp59.i.mail.ru [95.163.41.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 0940F581FDB for ; Thu, 17 Aug 2023 13:54:00 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 0940F581FDB Received: by smtp59.i.mail.ru with esmtpa (envelope-from ) id 1qWada-00AAwz-1c; Thu, 17 Aug 2023 13:53:59 +0300 Message-ID: <713d9ff4-87ff-03a0-1f89-72b8b9b4b9d5@tarantool.org> Date: Thu, 17 Aug 2023 13:53:57 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Sergey Kaplun , Igor Munkin References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD93AA62145E837FE287BD17FB31885916E472656A32A0A88AB182A05F5380850404C228DA9ACA6FE27A9B22512A088627C34DFADD73AE18D4AF7BEA8810056B911DCFA2C3CDD1A008D X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE77603ADE015AF816DEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637775FFFCA96730EC9EA1F7E6F0F101C6723150C8DA25C47586E58E00D9D99D84E1BDDB23E98D2D38BE5CCB53A13BC8DBABFB6578C46D22FCC6943F22B52EB2907CC7F00164DA146DAFE8445B8C89999728AA50765F7900637CCF9B28722A5D30D389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC80CABCCA60F52D7EBF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947C2D01283D1ACF37BAC0837EA9F3D197644AD6D5ED66289B523666184CF4C3C14F6136E347CC761E07725E5C173C3A84C36E36DCD5FF651F90BA3038C0950A5D36B5C8C57E37DE458B330BD67F2E7D9AF16D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166176DF2183F8FC7C057739F23D657EF2BD5E8D9A59859A8B60A9A04DE7321024275ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356 X-C1DE0DAB: 0D63561A33F958A5EE667B99597F099D4858153B78ED278C6EF70D9CB5795A30F87CCE6106E1FC07E67D4AC08A07B9B0034D30FDF2F620DBCB5012B2E24CD356 X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D3480665FBD8F49180C6CED90E28137AC2E81F39A1E94084969B1FB4F785DFB95115DDB46E7E45C72C41D7E09C32AA3244C8359B70D72AC87A75F2B25F8C1B77E58A8CE788DE6831205BAD658CF5C8AB4025DA084F8E80FEBD3FFA33E6B6B2F82C47A83BD0C44CE203720ABEDE4BBDD9CDD X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojFRrmMqSMPxpR5DPNfga77Q== X-Mailru-Sender: 11C2EC085EDE56FAC07928AF2646A7694617759BAEE568A334DFADD73AE18D4A21401CF93FD6FA55EBA65886582A37BD66FEC6BF5C9C28D98A98C1125256619760D574B6FC815AB872D6B4FCE48DF648AE208404248635DF X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit 16/19] Prevent integer overflow while parsing long strings. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Hi, Sergey! thanks for the patch! test duration is about 7 sec, I propose to add a print before string.rep: print('# test generation requires about 7 sec') Otherwise it looks like test hang. Feel free to ignore. LGTM after fixing comments from Max. Sergey On 8/9/23 18:36, Sergey Kaplun wrote: > From: Mike Pall > > (cherry-picked from commit 16e5605eec2e3882d709c6b123a644f6a8023945) > > This commit fixes possible integer overflow of the separator's length > counter during parsing long strings. It may lead to the fact, that > parser considers a string with unbalanced long brackets to be correct. > Since this is pointless to parse too long string separators in the hope, > that the string is correct, just use hardcoded limit (2 ^ 25 is enough). > > Be aware that this limit is different for Lua 5.1. > > We can't check the string overflow itself without a really large file, > because the ERR_MEM error will be raised, due to the string buffer > reallocations during parsing. Keep such huge file in the repo is > pointless, so just check that we don't parse long string after > aforementioned separator length. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#8825 > --- > src/lj_lex.c | 2 +- > .../lj-812-too-long-string-separator.test.lua | 31 +++++++++++++++++++ > 2 files changed, 32 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-812-too-long-string-separator.test.lua > > diff --git a/src/lj_lex.c b/src/lj_lex.c > index 52856912..c66660d7 100644 > --- a/src/lj_lex.c > +++ b/src/lj_lex.c > @@ -138,7 +138,7 @@ static int lex_skipeq(LexState *ls) > int count = 0; > LexChar s = ls->c; > lua_assert(s == '[' || s == ']'); > - while (lex_savenext(ls) == '=') > + while (lex_savenext(ls) == '=' && count < 0x20000000) > count++; > return (ls->c == s) ? count : (-count) - 1; > } > diff --git a/test/tarantool-tests/lj-812-too-long-string-separator.test.lua b/test/tarantool-tests/lj-812-too-long-string-separator.test.lua > new file mode 100644 > index 00000000..fda69d17 > --- /dev/null > +++ b/test/tarantool-tests/lj-812-too-long-string-separator.test.lua > @@ -0,0 +1,31 @@ > +local tap = require('tap') > + > +-- Test to check that we avoid parsing of too long separator > +-- for long strings. > +-- See also the discussion in the > +-- https://github.com/LuaJIT/LuaJIT/issues/812. > + > +local test = tap.test('lj-812-too-long-string-separator'):skipcond({ > + ['Test requires GC64 mode enabled'] = not require('ffi').abi('gc64'), > +}) > +test:plan(2) > + > +-- We can't check the string overflow itself without a really > +-- large file, because the ERR_MEM error will be raised, due to > +-- the string buffer reallocations during parsing. > +-- Keep such huge file in the repo is pointless, so just check > +-- that we don't parse long string after some separator length. > +-- Be aware that this limit is different for Lua 5.1. > + > +-- Use the hardcoded limit. The same as in the . > +local separator = string.rep('=', 0x20000000 + 1) > +local test_str = ('return [%s[]%s]'):format(separator, separator) > + > +local f, err = loadstring(test_str, 'empty_str_f') > +test:ok(not f, 'correct status when parsing string with too long separator') > + > +-- Check error message. > +test:ok(tostring(err):match('invalid long string delimiter'), > + 'correct error when parsing string with too long separator') > + > +test:done(true)