From ef7d29c66601ac2484ce474fde9b058b3dd4eaa0 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Thu, 11 Dec 2014 11:40:40 -0200
Subject: [PATCH] better limits for 'sting.rep' and 'string.packsize'

---
 lstrlib.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/lstrlib.c b/lstrlib.c
index d220ffb6..786016b4 100644
--- a/lstrlib.c
+++ b/lstrlib.c
@@ -1,5 +1,5 @@
 /*
-** $Id: lstrlib.c,v 1.218 2014/12/04 16:25:40 roberto Exp roberto $
+** $Id: lstrlib.c,v 1.219 2014/12/10 11:36:03 roberto Exp roberto $
 ** Standard library for string operations and pattern-matching
 ** See Copyright Notice in lua.h
 */
@@ -36,6 +36,15 @@
 #define uchar(c)	((unsigned char)(c))
 
 
+/*
+** Some sizes are better limited to fit in 'int', but must also fit in
+** 'size_t'. (We assume that 'lua_Integer' cannot be smaller than 'int'.)
+*/
+#define MAXSIZE  \
+	(sizeof(size_t) < sizeof(int) ? (~(size_t)0) : (size_t)(INT_MAX))
+
+
+
 
 static int str_len (lua_State *L) {
   size_t l;
@@ -105,13 +114,6 @@ static int str_upper (lua_State *L) {
 }
 
 
-/* reasonable limit to avoid arithmetic overflow and strings too big */
-#if LUA_MAXINTEGER / 2 <= 0x10000000
-#define MAXSIZE		((size_t)(LUA_MAXINTEGER / 2))
-#else
-#define MAXSIZE		((size_t)0x10000000)
-#endif
-
 static int str_rep (lua_State *L) {
   size_t l, lsep;
   const char *s = luaL_checklstring(L, 1, &l);
@@ -1033,7 +1035,7 @@ static int getnum (const char **fmt, int df) {
     int a = 0;
     do {
       a = a*10 + *((*fmt)++) - '0';
-    } while (digit(**fmt) && a < (INT_MAX/10 - 10));
+    } while (digit(**fmt) && a < ((int)MAXSIZE/10 - 10));
     return a;
   }
 }
@@ -1261,12 +1263,15 @@ static int str_pack (lua_State *L) {
 static int str_packsize (lua_State *L) {
   Header h;
   const char *fmt = luaL_checkstring(L, 1);  /* format string */
-  lua_Integer totalsize = 0;  /* accumulate total size of result */
+  size_t totalsize = 0;  /* accumulate total size of result */
   initheader(L, &h);
   while (*fmt != '\0') {
     int size, ntoalign;
     KOption opt = getdetails(&h, totalsize, &fmt, &size, &ntoalign);
-    totalsize += ntoalign + size;
+    size += ntoalign;  /* total space used by option */
+    luaL_argcheck(L, totalsize <= MAXSIZE - size, 1,
+                     "format result too large");
+    totalsize += size;
     switch (opt) {
       case Kstring:  /* strings with length count */
       case Kzstr:    /* zero-terminated string */
@@ -1275,7 +1280,7 @@ static int str_packsize (lua_State *L) {
       default:  break;
     }
   }
-  lua_pushinteger(L, totalsize);
+  lua_pushinteger(L, (lua_Integer)totalsize);
   return 1;
 }