lua 5.1: fix fix for CVE-2014-5461

Tue, 16 Mar 2021 11:56:47 -0700 

I think the diff from https://www.lua.org/bugs.html#5.2.2-1 was
backported to the wrong function (to adjust_varargs() instead of
luaD_precall(). Compare with https://github.com/redis/redis/pull/7733

While I did not manage to make the PoC crash on my machines, I'm pretty
sure the diff used by Redis is correct. Lua 5.2 also applied the fix to
luaD_precall(), not adjust_varargs().

Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/lua/5.1/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile    29 Jun 2016 16:14:41 -0000      1.8
+++ Makefile    16 Mar 2021 18:42:28 -0000
@@ -4,7 +4,7 @@ PORTROACH=      limit:^5\.1
 
 VERSION=       5.1.5
 PKGSPEC=       lua->=5.1,<5.2
-REVISION=      6
+REVISION=      7
 
 SHARED_LIBS=   lua5.1 ${VERSION:R}
 
Index: patches/patch-src_ldo_c
===================================================================
RCS file: /cvs/ports/lang/lua/5.1/patches/patch-src_ldo_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-src_ldo_c
--- patches/patch-src_ldo_c     9 Sep 2014 13:54:43 -0000       1.2
+++ patches/patch-src_ldo_c     16 Mar 2021 18:42:34 -0000
@@ -3,14 +3,15 @@ $OpenBSD: patch-src_ldo_c,v 1.2 2014/09/
 Security fix for CVE-2014-5461,
 http://openwall.com/lists/oss-security/2014/08/27/2
 
---- src/ldo.c.orig     Tue Sep  9 15:32:24 2014
-+++ src/ldo.c  Tue Sep  9 15:33:46 2014
-@@ -217,7 +217,7 @@ static StkId adjust_varargs (lua_State *L, Proto *p, i
-     int nvar = actual - nfixargs;  /* number of extra arguments */
-     lua_assert(p->is_vararg & VARARG_HASARG);
-     luaC_checkGC(L);
+Index: src/ldo.c
+--- src/ldo.c.orig
++++ src/ldo.c
+@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresul
+     CallInfo *ci;
+     StkId st, base;
+     Proto *p = cl->p;
 -    luaD_checkstack(L, p->maxstacksize);
 +    luaD_checkstack(L, p->maxstacksize + p->numparams);
-     htab = luaH_new(L, nvar, 1);  /* create `arg' table */
-     for (i=0; i<nvar; i++)  /* put extra arguments into `arg' table */
-       setobj2n(L, luaH_setnum(L, htab, i+1), L->top - nvar + i);
+     func = restorestack(L, funcr);
+     if (!p->is_vararg) {  /* no varargs? */
+       base = func + 1;

Reply via email to