Tarantool development patches archive
 help / color / mirror / Atom feed
* [Tarantool-patches] [PATCH luajit] Fix overflow check in unpack().
@ 2022-08-23  8:06 Sergey Kaplun via Tarantool-patches
  2022-08-23 11:03 ` sergos via Tarantool-patches
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Sergey Kaplun via Tarantool-patches @ 2022-08-23  8:06 UTC (permalink / raw)
  To: Sergey Ostanevich, Maxim Kokryashkin; +Cc: tarantool-patches

From: Mike Pall <mike>

Thanks to HybridDog.

When build with optimization compiler may throw away overflow check in
`unpack()` base library function.

This patch prevents aforementioned error by comparing the unsigned
amount of values to unpack with `LUAI_MAXCSTACK` instead of 0.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#7230
---

Issue/PR:
* https://github.com/LuaJIT/LuaJIT/pull/574
* https://github.com/tarantool/tarantool/issues/7230
Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-574-overflow-unpack-full-ci
PR: https://github.com/tarantool/tarantool/pull/7596

 src/lib_base.c                                       |  6 ++++--
 test/tarantool-tests/lj-574-overflow-unpack.test.lua | 12 ++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 test/tarantool-tests/lj-574-overflow-unpack.test.lua

diff --git a/src/lib_base.c b/src/lib_base.c
index 613a1859..cf57b4f2 100644
--- a/src/lib_base.c
+++ b/src/lib_base.c
@@ -224,9 +224,11 @@ LJLIB_CF(unpack)
   int32_t n, i = lj_lib_optint(L, 2, 1);
   int32_t e = (L->base+3-1 < L->top && !tvisnil(L->base+3-1)) ?
 	      lj_lib_checkint(L, 3) : (int32_t)lj_tab_len(t);
+  uint32_t nu;
   if (i > e) return 0;
-  n = e - i + 1;
-  if (n <= 0 || !lua_checkstack(L, n))
+  nu = (uint32_t)e - (uint32_t)i;
+  n = (int32_t)(nu+1);
+  if (nu >= LUAI_MAXCSTACK || !lua_checkstack(L, n))
     lj_err_caller(L, LJ_ERR_UNPACK);
   do {
     cTValue *tv = lj_tab_getint(t, i);
diff --git a/test/tarantool-tests/lj-574-overflow-unpack.test.lua b/test/tarantool-tests/lj-574-overflow-unpack.test.lua
new file mode 100644
index 00000000..6715d947
--- /dev/null
+++ b/test/tarantool-tests/lj-574-overflow-unpack.test.lua
@@ -0,0 +1,12 @@
+local tap = require('tap')
+
+-- Test file to demonstrate integer overflow in the `unpack()`
+-- function due to compiler optimization.
+-- See also https://github.com/LuaJIT/LuaJIT/pull/574.
+local test = tap.test('lj-574-overflow-unpack')
+test:plan(1)
+
+local r, e = pcall(unpack, {}, 0, 2^31 - 1)
+test:ok(not r and e == 'too many results to unpack', 'overflow check in unpack')
+
+os.exit(test:check() and 0 or 1)
-- 
2.34.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-11-11  9:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-23  8:06 [Tarantool-patches] [PATCH luajit] Fix overflow check in unpack() Sergey Kaplun via Tarantool-patches
2022-08-23 11:03 ` sergos via Tarantool-patches
2022-08-23 13:38   ` Sergey Kaplun via Tarantool-patches
2022-09-06 13:47 ` Maxim Kokryashkin via Tarantool-patches
2022-09-07 11:56   ` Sergey Kaplun via Tarantool-patches
2022-09-07 12:00     ` Maxim Kokryashkin via Tarantool-patches
2022-11-11  8:54 ` Igor Munkin via Tarantool-patches

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox