From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ol0router01.airtag.info ([88.190.231.88]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1RYffY-0003vy-9J for ptxdist@pengutronix.de; Thu, 08 Dec 2011 16:13:59 +0100 Received: from localhost (localhost [127.0.0.1]) by ol0router01.airtag.info (Postfix) with ESMTP id 56AEB1FA23F for ; Thu, 8 Dec 2011 16:13:47 +0100 (CET) Received: from ol0router01.airtag.info ([127.0.0.1]) by localhost (ol0smtp01.airtag.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VoUE7zV-No7F for ; Thu, 8 Dec 2011 16:13:39 +0100 (CET) Received: from HQ0SBS01.airtag.local (hq0sbs01.airtag.local [10.4.0.10]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "*.airtag.com", Issuer "GlobalSign Organization Validation CA - G2" (verified OK)) by ol0router01.airtag.info (Postfix) with ESMTPS id F397C1FA23E for ; Thu, 8 Dec 2011 16:13:38 +0100 (CET) From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= Date: Thu, 8 Dec 2011 16:13:26 +0100 Message-ID: <1323357206-31462-1-git-send-email-benoit.burnichon@airtag.com> In-Reply-To: <20111208112215.GD11859@pengutronix.de> References: <20111208112215.GD11859@pengutronix.de> MIME-Version: 1.0 Subject: [ptxdist] [PATCH] lua: update to the latest bugfix patch Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de --- ...ly-crafted-precompiled-code-can-crash-Lua.patch | 9 +++ ...ble-to-create-functions-that-return-too-m.patch | 10 +++ ...generation-for-some-particular-boolean-ex.patch | 69 ++++++++++++++++++++ ...le-may-invalidate-a-reference-to-a-table-.patch | 48 ++++++++++++++ ...nv-does-not-check-whether-it-has-an-argum.patch | 29 ++++++++ ...stuck-during-parsing-and-avoids-proper-re.patch | 31 +++++++++ ...at-may-get-buffer-as-an-argument-when-the.patch | 41 ++++++++++++ ...n-may-return-garbage-if-second-read-fails.patch | 34 ++++++++++ ...generation-for-some-particular-boolean-ex.patch | 52 +++++++++++++++ ...metamethod-may-not-work-if-metatable-is-i.patch | 33 +++++++++ ...may-collect-a-prototype-while-building-it.patch | 28 ++++++++ patches/lua-5.1.4/series | 11 +++ 12 files changed, 395 insertions(+), 0 deletions(-) create mode 100644 patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch create mode 100644 patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch create mode 100644 patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch create mode 100644 patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch create mode 100644 patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch create mode 100644 patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch create mode 100644 patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch create mode 100644 patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch create mode 100644 patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch create mode 100644 patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch create mode 100644 patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch diff --git a/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch new file mode 100644 index 0000000..37b9766 --- /dev/null +++ b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch @@ -0,0 +1,9 @@ +From 293f82d33cd67b7f48e078788af6a4b2887c16bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:05:35 +0100 +Subject: [PATCH 01/11] Maliciously crafted precompiled code can crash Lua + +Comes from http://www.lua.org/bugs.html#5.1.4-1 + +--- + diff --git a/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch new file mode 100644 index 0000000..e5b614b --- /dev/null +++ b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch @@ -0,0 +1,10 @@ +From e5973b1ca3ad83d500f0c85abb78b2a0bf5fbdc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:07:18 +0100 +Subject: [PATCH 02/11] It is possible to create functions that return too many arguments and + overflow the stack of C functions. + +Comes from http://www.lua.org/bugs.html#5.1.4-2 + +--- + diff --git a/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch new file mode 100644 index 0000000..43d4c6c --- /dev/null +++ b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch @@ -0,0 +1,69 @@ +From b40f5fc4341153fc53fa2d0e839223944b022e6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:10:56 +0100 +Subject: [PATCH 03/11] Wrong code generation for some particular boolean expressions. (see also + 9) + +Comes from http://www.lua.org/bugs.html#5.1.4-3 + + reported by Brian Kelley on 15 Apr 2009. + Example: + -- + print(((1 or false) and true) or false) --> 1, but should be 'true' + -- + +Patch: (partial solution; see also 9) +--- + +diff --git a/src/lcode.c b/src/lcode.c +index cff626b..84f286b 100644 +--- a/src/lcode.c ++++ b/src/lcode.c +@@ -544,15 +544,18 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) { + pc = NO_JUMP; /* always true; do nothing */ + break; + } +- case VFALSE: { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } + case VJMP: { + invertjump(fs, e); + pc = e->u.s.info; + break; + } ++ case VFALSE: { ++ if (!hasjumps(e)) { ++ pc = luaK_jump(fs); /* always jump */ ++ break; ++ } ++ /* else go through */ ++ } + default: { + pc = jumponcond(fs, e, 0); + break; +@@ -572,14 +575,17 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) { + pc = NO_JUMP; /* always false; do nothing */ + break; + } +- case VTRUE: { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } + case VJMP: { + pc = e->u.s.info; + break; + } ++ case VTRUE: { ++ if (!hasjumps(e)) { ++ pc = luaK_jump(fs); /* always jump */ ++ break; ++ } ++ /* else go through */ ++ } + default: { + pc = jumponcond(fs, e, 1); + break; +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch new file mode 100644 index 0000000..d1ae864 --- /dev/null +++ b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch @@ -0,0 +1,48 @@ +From 41f746c9be4330bac1466ab994f147aeef88675d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:13:59 +0100 +Subject: [PATCH 04/11] luaV_settable may invalidate a reference to a table and try to reuse it + +Comes from http://www.lua.org/bugs.html#5.1.4-4 + + reported by Mark Feldman on 27 Jun 2009. + Example: + -- + grandparent = {} + grandparent.__newindex = function(s,_,_) print(s) end + +parent = {} +parent.__newindex = parent +setmetatable(parent, grandparent) + +child = setmetatable({}, parent) +child.foo = 10 --> (crash on some machines) +-- +--- + +diff --git a/src/lvm.c b/src/lvm.c +index ee3256a..4ac2e71 100644 +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -133,6 +133,7 @@ void luaV_gettable (lua_State *L, const TValue *t, TValue *key, StkId val) { + + void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + int loop; ++ TValue temp; + for (loop = 0; loop < MAXTAGLOOP; loop++) { + const TValue *tm; + if (ttistable(t)) { /* `t' is a table? */ +@@ -152,7 +153,9 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + callTM(L, tm, t, key, val); + return; + } +- t = tm; /* else repeat with `tm' */ ++ /* else repeat with `tm' */ ++ setobj(L, &temp, tm); /* avoid pointing inside table (may rehash) */ ++ t = &temp; + } + luaG_runerror(L, "loop in settable"); + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch new file mode 100644 index 0000000..51784f7 --- /dev/null +++ b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch @@ -0,0 +1,29 @@ +From a0e82265587327b15635b61517601cb7c74de07e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:18:20 +0100 +Subject: [PATCH 05/11] debug.getfenv does not check whether it has an argument. + +Comes from http://www.lua.org/bugs.html#5.1.4-5 + +reported by Patrick Donnelly on 30 Jul 2009. +Example: +-- +debug.getfenv() -- should raise an error +-- +--- + +diff --git a/src/ldblib.c b/src/ldblib.c +index 67de122..21116ac 100644 +--- a/src/ldblib.c ++++ b/src/ldblib.c +@@ -45,6 +45,7 @@ static int db_setmetatable (lua_State *L) { + + + static int db_getfenv (lua_State *L) { ++ luaL_checkany(L, 1); + lua_getfenv(L, 1); + return 1; + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch new file mode 100644 index 0000000..4c890f8 --- /dev/null +++ b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch @@ -0,0 +1,31 @@ +From 4a37f37706e3f89d379a827c8da646d34d136c3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:20:15 +0100 +Subject: [PATCH 06/11] GC may get stuck during parsing and avoids proper resizing of the string + table, making its lists grow too much and degrading performance. + +Comes from http://www.lua.org/bugs.html#5.1.4-6 + + reported by Sean Conner on 10 Nov 2009. + +--- + +diff --git a/src/llex.c b/src/llex.c +index 6dc3193..92d6575 100644 +--- a/src/llex.c ++++ b/src/llex.c +@@ -118,8 +118,10 @@ TString *luaX_newstring (LexState *ls, const char *str, size_t l) { + lua_State *L = ls->L; + TString *ts = luaS_newlstr(L, str, l); + TValue *o = luaH_setstr(L, ls->fs->h, ts); /* entry for `str' */ +- if (ttisnil(o)) ++ if (ttisnil(o)) { + setbvalue(o, 1); /* make sure `str' will not be collected */ ++ luaC_checkGC(L); ++ } + return ts; + } + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch new file mode 100644 index 0000000..2e3d062 --- /dev/null +++ b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch @@ -0,0 +1,41 @@ +From ce47c22d52dcc4996c03e073ddf94398aa42411e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:21:46 +0100 +Subject: [PATCH 07/11] string.format may get buffer as an argument when there are missing + arguments and format string is too long. + +Comes from http://www.lua.org/bugs.html#5.1.4-7 + +reported by Roberto on 12 Apr 2010. +Example: +-- +x = string.rep("x", 10000) .. "%d" +print(string.format(x)) -- gives wrong error message +-- +--- + +diff --git a/src/lstrlib.c b/src/lstrlib.c +index 1b4763d..fe452ce 100644 +--- a/src/lstrlib.c ++++ b/src/lstrlib.c +@@ -754,6 +754,7 @@ static void addintlen (char *form) { + + + static int str_format (lua_State *L) { ++ int top = lua_gettop(L); + int arg = 1; + size_t sfl; + const char *strfrmt = luaL_checklstring(L, arg, &sfl); +@@ -768,7 +769,8 @@ static int str_format (lua_State *L) { + else { /* format item */ + char form[MAX_FORMAT]; /* to store the format (`%...') */ + char buff[MAX_ITEM]; /* to store the formatted item */ +- arg++; ++ if (++arg > top) ++ luaL_argerror(L, arg, "no value"); + strfrmt = scanformat(L, strfrmt, form); + switch (*strfrmt++) { + case 'c': { +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch new file mode 100644 index 0000000..960b0c2 --- /dev/null +++ b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch @@ -0,0 +1,34 @@ +From 224bbe29a295851544712b4470f7a48f338cddaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:23:53 +0100 +Subject: [PATCH 08/11] io.read("*n", "*n") may return garbage if second read fails. + +Comes from http://www.lua.org/bugs.html#5.1.4-8 + +reported by Roberto on 12 Apr 2010. +Example: +-- +print(io.read("*n", "*n")) --<< enter "10 hi" +--> file (0x884420) nil +-- +--- + +diff --git a/src/liolib.c b/src/liolib.c +index e79ed1c..8de2547 100644 +--- a/src/liolib.c ++++ b/src/liolib.c +@@ -276,7 +276,10 @@ static int read_number (lua_State *L, FILE *f) { + lua_pushnumber(L, d); + return 1; + } +- else return 0; /* read fails */ ++ else { ++ lua_pushnil(L); /* "result" to be removed */ ++ return 0; /* read fails */ ++ } + } + + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch new file mode 100644 index 0000000..70ea24f --- /dev/null +++ b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch @@ -0,0 +1,52 @@ +From 14c92823c5877a458ddcfa2c90d0b03ea873baa3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:25:18 +0100 +Subject: [PATCH 09/11] Wrong code generation for some particular boolean expressions. + +Comes from http://www.lua.org/bugs.html#5.1.4-9 + +reported by Thierry Van Elsuwe on 20 Jan 2011. +Example: +-- +print((('hi' or true) and true) or true) +--> hi (should be true) +print(((nil and nil) or false) and true) +--> nil (should be false) +-- +--- + +diff --git a/src/lcode.c b/src/lcode.c +index 84f286b..c13066e 100644 +--- a/src/lcode.c ++++ b/src/lcode.c +@@ -549,13 +549,6 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) { + pc = e->u.s.info; + break; + } +- case VFALSE: { +- if (!hasjumps(e)) { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } +- /* else go through */ +- } + default: { + pc = jumponcond(fs, e, 0); + break; +@@ -579,13 +572,6 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) { + pc = e->u.s.info; + break; + } +- case VTRUE: { +- if (!hasjumps(e)) { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } +- /* else go through */ +- } + default: { + pc = jumponcond(fs, e, 1); + break; +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch new file mode 100644 index 0000000..3d75d48 --- /dev/null +++ b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch @@ -0,0 +1,33 @@ +From 81ff350a91cb1c248e96366eed3049386c5f2cba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:27:04 +0100 +Subject: [PATCH 10/11] __newindex metamethod may not work if metatable is its own metatable. + +Comes from http://www.lua.org/bugs.html#5.1.4-10 + +reported by Cuero Bugot on 09 Aug 2011. +Example: +-- +meta={} +setmetatable(meta, meta) +meta.__newindex = function(t, key, value) print("set") end +o = setmetatable({}, meta) +o.x = 10 -- should print 'set' +-- +--- + +diff --git a/src/lvm.c b/src/lvm.c +index 4ac2e71..ca7bea0 100644 +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -142,6 +142,7 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + if (!ttisnil(oldval) || /* result is no nil? */ + (tm = fasttm(L, h->metatable, TM_NEWINDEX)) == NULL) { /* or no TM? */ + setobj2t(L, oldval, val); ++ h->flags = 0; + luaC_barriert(L, h, val); + return; + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch new file mode 100644 index 0000000..fdd098f --- /dev/null +++ b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch @@ -0,0 +1,28 @@ +From 23449ee61f062a18926f11a216f9906155f259b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= +Date: Tue, 6 Dec 2011 14:28:19 +0100 +Subject: [PATCH 11/11] Parser may collect a prototype while building it. + +Comes from http://www.lua.org/bugs.html#5.1.4-11 + +reported by Ingo van Lil on 13 Oct 2011. +--- + +diff --git a/src/lparser.c b/src/lparser.c +index 1e2a9a8..a2721d2 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -374,9 +374,9 @@ static void close_func (LexState *ls) { + lua_assert(luaG_checkcode(f)); + lua_assert(fs->bl == NULL); + ls->fs = fs->prev; +- L->top -= 2; /* remove table and prototype from the stack */ + /* last token read was anchored in defunct function; must reanchor it */ + if (fs) anchor_token(ls); ++ L->top -= 2; /* remove table and prototype from the stack */ + } + + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/series b/patches/lua-5.1.4/series index 2c51e37..5f3e6b4 100644 --- a/patches/lua-5.1.4/series +++ b/patches/lua-5.1.4/series @@ -1,3 +1,14 @@ remove-Makefile.diff autoconfize.diff automakize.diff +#0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch +#0002-It-is-possible-to-create-functions-that-return-too-m.patch +0003-Wrong-code-generation-for-some-particular-boolean-ex.patch +0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch +0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch +0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch +0007-string.format-may-get-buffer-as-an-argument-when-the.patch +0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch +0009-Wrong-code-generation-for-some-particular-boolean-ex.patch +0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch +0011-Parser-may-collect-a-prototype-while-building-it.patch -- 1.7.2.5 -- ptxdist mailing list ptxdist@pengutronix.de