mirror of
https://github.com/lua/lua.git
synced 2024-11-24 02:33:48 +08:00
several bugs related to precompiled code
This commit is contained in:
parent
7316d61a66
commit
e64b0cada8
53
bugs
53
bugs
@ -1796,6 +1796,58 @@ patch = [[
|
||||
]],
|
||||
}
|
||||
|
||||
Bug{
|
||||
what = [[The validator for precompiled code has several flaws that
|
||||
allow malicious binary code to crash the application]],
|
||||
report = [[Peter Cawley, on 2008/03/24]],
|
||||
since = [[5.0]],
|
||||
example = [[
|
||||
a = string.dump(function()return;end)
|
||||
a = a:gsub(string.char(30,37,122,128), string.char(34,0,0), 1)
|
||||
loadstring(a)()
|
||||
]],
|
||||
patch = [[ ]],
|
||||
}
|
||||
|
||||
Bug{
|
||||
what = [[maliciously crafted precompiled code can blow the C stack]],
|
||||
report = [[Greg Falcon, on 2008/03/25]],
|
||||
since = [[5.0]],
|
||||
example = [[
|
||||
function crash(depth)
|
||||
local init = '\27\76\117\97\81\0\1\4\4\4\8\0\7\0\0\0\61\115\116' ..
|
||||
'\100\105\110\0\1\0\0\0\1\0\0\0\0\0\0\2\2\0\0\0\36' ..
|
||||
'\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0' ..
|
||||
'\1\0\0\0\0\0\0\2'
|
||||
local mid = '\1\0\0\0\30\0\128\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0'
|
||||
local fin = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
|
||||
'\0\0\97\0\1\0\0\0\1\0\0\0\0\0\0\0'
|
||||
local lch = '\2\0\0\0\36\0\0\0\30\0\128\0\0\0\0\0\1\0\0\0\0\0\0' ..
|
||||
'\0\1\0\0\0\1\0\0\0\0\0\0\2'
|
||||
local rch = '\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\2\0' ..
|
||||
'\0\0\97\0\1\0\0\0\1'
|
||||
for i=1,depth do lch,rch = lch..lch,rch..rch end
|
||||
loadstring(init .. lch .. mid .. rch .. fin)
|
||||
end
|
||||
for i=1,25 do print(i); crash(i) end
|
||||
]],
|
||||
patch = [[ ]],
|
||||
}
|
||||
|
||||
Bug{
|
||||
what = [[code validator may reject (maliciously crafted) correct code]],
|
||||
report = [[Greg Falcon, on 2008/03/26]],
|
||||
since = [[5.0]],
|
||||
example = [[
|
||||
z={}
|
||||
for i=1,27290 do z[i]='1,' end
|
||||
z = 'if 1+1==2 then local a={' .. table.concat(z) .. '} end'
|
||||
func = loadstring(z)
|
||||
print(loadstring(string.dump(func)))
|
||||
]],
|
||||
patch = [[ ]],
|
||||
}
|
||||
|
||||
Bug{
|
||||
what = [[ ]],
|
||||
report = [[ , on ]],
|
||||
@ -1803,3 +1855,4 @@ since = [[i ]],
|
||||
example = [[ ]],
|
||||
patch = [[ ]],
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user