Potential overflow when dumping string size
100 views
Skip to first unread message
Jure Bagić
Sep 20, 2025, 11:06:10 PM (7 days ago) Sep 20
to lua-l
In `dumpString` rotuine (in ldump.c on line 155 latest commit on github mirror),
the option where we have non-empty string and the string is not found
in the table to be re-used we encode its length when dumping as
`len + 2` to avoid size of 0 and size of 1, it is okay to add 1 as the actual
size is `len + 1` with null terminator, however adding 2 might cause overflow,
highly unlikely but still...
Doing something like:
> dumpSize(D, size + 1 + (size < size + 2));
would be ez fix.
-- Jure
the option where we have non-empty string and the string is not found
in the table to be re-used we encode its length when dumping as
`len + 2` to avoid size of 0 and size of 1, it is okay to add 1 as the actual
size is `len + 1` with null terminator, however adding 2 might cause overflow,
highly unlikely but still...
Doing something like:
> dumpSize(D, size + 1 + (size < size + 2));
would be ez fix.
-- Jure
Sainan
Sep 21, 2025, 5:46:21 AM (6 days ago) Sep 21
to lu...@googlegroups.com
/*
** Dump a String. First dump its "size": size==0 means NULL;
** size==1 is followed by an index and means "reuse saved string with
** that index"; size>=2 is followed by the string contents with real
** size==size-2 and means that string, which will be saved with
** the next available index.
*/
So, size 0 and size 1 are reserved. The "size" representation of a string of length 0 is 2, 1 is 3, etc.
-- Sainan
** Dump a String. First dump its "size": size==0 means NULL;
** size==1 is followed by an index and means "reuse saved string with
** that index"; size>=2 is followed by the string contents with real
** size==size-2 and means that string, which will be saved with
** the next available index.
*/
So, size 0 and size 1 are reserved. The "size" representation of a string of length 0 is 2, 1 is 3, etc.
-- Sainan
Roberto Ierusalimschy
Sep 21, 2025, 10:51:03 AM (6 days ago) Sep 21
to lu...@googlegroups.com
> In `dumpString` rotuine (in ldump.c on line 155 latest commit on github mirror),
> the option where we have non-empty string and the string is not found
> in the table to be re-used we encode its length when dumping as
> `len + 2` to avoid size of 0 and size of 1, it is okay to add 1 as the actual
> size is `len + 1` with null terminator, however adding 2 might cause overflow,
> highly unlikely but still...
In general, that could not happen because strings have a header, and
> the option where we have non-empty string and the string is not found
> in the table to be re-used we encode its length when dumping as
> `len + 2` to avoid size of 0 and size of 1, it is okay to add 1 as the actual
> size is `len + 1` with null terminator, however adding 2 might cause overflow,
> highly unlikely but still...
the total size of the header+string must fit in size_t. However, with
the new external strings, this seems to be a real possibility. Thanks
for the feedback.
-- Roberto
Jure Bagić
Sep 21, 2025, 11:32:52 AM (6 days ago) Sep 21
to lu...@googlegroups.com
I overlooked the header completely *facepalm*!
> --
> You received this message because you are subscribed to the Google Groups "lua-l" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lua-l+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/lua-l/20250921145056.GB489990%40arraial.inf.puc-rio.br.
--
Jure
> You received this message because you are subscribed to the Google Groups "lua-l" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lua-l+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/lua-l/20250921145056.GB489990%40arraial.inf.puc-rio.br.
--
Jure
Reply all
Reply to author
Forward
0 new messages