Hey, this bug was introduced 6 years ago when replacing "unsafe" strcpy(), strcat() and sprintf() calls with their "safe" counterparts, the irony.
Original (a.k.a. "unsafe") code:
size_t len = strcspn(source, "\n\r");
bufflen -= sizeof(" [string \"...\"] ");
...
if (source[len] != '\0') {
Our "safe" code:
size_t pos = strcspn(source, "\n\r");
size_t len = bufflen - sizeof(" [string \"...\"] ");
...
if (source[len] != '\0') {
Basically, the old "len" variable was changed to "pos", but it wasn't
replaced in the code and the new "len" variable was introduced, which
resulted in such sweet backtrace:
#0 0x0000000208bbafb9 in luaO_chunkid (out=0x7f7ffffc33f8 "[string \"",
source=0x20e161fd8 "ngx.exit", bufflen=60) at lobject.c:203
203 if (source[len] != '\0') { /* must truncate? */
(gdb) p len
$1 = 43
(gdb) p pos
$2 = 8
(gdb) p source[len]
Cannot access memory at address 0x20e162003
(gdb) p source[pos]
$3 = 0 '\0'
Attached patch fixes this, but to be honest I would consider completely
dropping our "fix" from the port .
Best regards,
Piotr Sikora < [email protected] >
lua-5.1.4p4.patch
Description: Binary data
