[ptxdist] [PATCH 2/2] lua: update to the latest bugfix patch

[ptxdist] [PATCH 2/2] lua: update to the latest bugfix patch

[Benoît BURNICHON]

---
 ...ly-crafted-precompiled-code-can-crash-Lua.patch |    7 ++
 ...ble-to-create-functions-that-return-too-m.patch |    8 +++
 ...generation-for-some-particular-boolean-ex.patch |   66 ++++++++++++++++++++
 ...le-may-invalidate-a-reference-to-a-table-.patch |   45 +++++++++++++
 ...nv-does-not-check-whether-it-has-an-argum.patch |   27 ++++++++
 ...stuck-during-parsing-and-avoids-proper-re.patch |   28 ++++++++
 ...at-may-get-buffer-as-an-argument-when-the.patch |   39 ++++++++++++
 ...n-may-return-garbage-if-second-read-fails.patch |   32 ++++++++++
 ...generation-for-some-particular-boolean-ex.patch |   50 +++++++++++++++
 ...metamethod-may-not-work-if-metatable-is-i.patch |   31 +++++++++
 ...may-collect-a-prototype-while-building-it.patch |   26 ++++++++
 patches/lua-5.1.4/series                           |   11 +++
 12 files changed, 370 insertions(+), 0 deletions(-)
 create mode 100644 patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
 create mode 100644 patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch
 create mode 100644 patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
 create mode 100644 patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
 create mode 100644 patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
 create mode 100644 patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
 create mode 100644 patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch
 create mode 100644 patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
 create mode 100644 patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
 create mode 100644 patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
 create mode 100644 patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch

diff --git a/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
new file mode 100644
index 0000000..57a85e8
--- /dev/null
+++ b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
@@ -0,0 +1,7 @@
+From 293f82d33cd67b7f48e078788af6a4b2887c16bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:05:35 +0100
+Subject: [PATCH 01/11] Maliciously crafted precompiled code can crash Lua
+
+---
+
diff --git a/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch
new file mode 100644
index 0000000..07dba84
--- /dev/null
+++ b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch
@@ -0,0 +1,8 @@
+From e5973b1ca3ad83d500f0c85abb78b2a0bf5fbdc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:07:18 +0100
+Subject: [PATCH 02/11] It is possible to create functions that return too many arguments and
+ overflow the stack of C functions.
+
+---
+
diff --git a/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
new file mode 100644
index 0000000..38b04ba
--- /dev/null
+++ b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
@@ -0,0 +1,66 @@
+From b40f5fc4341153fc53fa2d0e839223944b022e6e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:10:56 +0100
+Subject: [PATCH 03/11] Wrong code generation for some particular boolean expressions. (see also
+ 9)
+ reported by Brian Kelley on 15 Apr 2009.
+ Example:
+ --
+ print(((1 or false) and true) or false)   --> 1, but should be 'true'
+ --
+
+Patch: (partial solution; see also 9)
+---
+
+diff --git a/src/lcode.c b/src/lcode.c
+index cff626b..84f286b 100644
+--- a/src/lcode.c
++++ b/src/lcode.c
+@@ -544,15 +544,18 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) {
+       pc = NO_JUMP;  /* always true; do nothing */
+       break;
+     }
+-    case VFALSE: {
+-      pc = luaK_jump(fs);  /* always jump */
+-      break;
+-    }
+     case VJMP: {
+       invertjump(fs, e);
+       pc = e->u.s.info;
+       break;
+     }
++    case VFALSE: {
++      if (!hasjumps(e)) {
++        pc = luaK_jump(fs);  /* always jump */
++        break;
++      }
++      /* else go through */
++    }
+     default: {
+       pc = jumponcond(fs, e, 0);
+       break;
+@@ -572,14 +575,17 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) {
+       pc = NO_JUMP;  /* always false; do nothing */
+       break;
+     }
+-    case VTRUE: {
+-      pc = luaK_jump(fs);  /* always jump */
+-      break;
+-    }
+     case VJMP: {
+       pc = e->u.s.info;
+       break;
+     }
++    case VTRUE: {
++      if (!hasjumps(e)) {
++        pc = luaK_jump(fs);  /* always jump */
++        break;
++      }
++      /* else go through */
++    }
+     default: {
+       pc = jumponcond(fs, e, 1);
+       break;
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
new file mode 100644
index 0000000..e4a0002
--- /dev/null
+++ b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
@@ -0,0 +1,45 @@
+From 41f746c9be4330bac1466ab994f147aeef88675d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:13:59 +0100
+Subject: [PATCH 04/11] luaV_settable may invalidate a reference to a table and try to reuse it
+ reported by Mark Feldman on 27 Jun 2009.
+ Example:
+ --
+ grandparent = {}
+ grandparent.__newindex = function(s,_,_) print(s) end
+
+parent = {}
+parent.__newindex = parent
+setmetatable(parent, grandparent)
+
+child = setmetatable({}, parent)
+child.foo = 10      --> (crash on some machines)
+--
+---
+
+diff --git a/src/lvm.c b/src/lvm.c
+index ee3256a..4ac2e71 100644
+--- a/src/lvm.c
++++ b/src/lvm.c
+@@ -133,6 +133,7 @@ void luaV_gettable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+
+ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+   int loop;
++  TValue temp;
+   for (loop = 0; loop < MAXTAGLOOP; loop++) {
+     const TValue *tm;
+     if (ttistable(t)) {  /* `t' is a table? */
+@@ -152,7 +153,9 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+       callTM(L, tm, t, key, val);
+       return;
+     }
+-    t = tm;  /* else repeat with `tm' */
++    /* else repeat with `tm' */
++    setobj(L, &temp, tm);  /* avoid pointing inside table (may rehash) */
++    t = &temp;
+   }
+   luaG_runerror(L, "loop in settable");
+ }
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
new file mode 100644
index 0000000..53f35a6
--- /dev/null
+++ b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
@@ -0,0 +1,27 @@
+From a0e82265587327b15635b61517601cb7c74de07e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:18:20 +0100
+Subject: [PATCH 05/11] debug.getfenv does not check whether it has an argument.
+
+reported by Patrick Donnelly on 30 Jul 2009.
+Example:
+--
+debug.getfenv()   -- should raise an error
+--
+---
+
+diff --git a/src/ldblib.c b/src/ldblib.c
+index 67de122..21116ac 100644
+--- a/src/ldblib.c
++++ b/src/ldblib.c
+@@ -45,6 +45,7 @@ static int db_setmetatable (lua_State *L) {
+
+
+ static int db_getfenv (lua_State *L) {
++  luaL_checkany(L, 1);
+   lua_getfenv(L, 1);
+   return 1;
+ }
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
new file mode 100644
index 0000000..70190cd
--- /dev/null
+++ b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
@@ -0,0 +1,28 @@
+From 4a37f37706e3f89d379a827c8da646d34d136c3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:20:15 +0100
+Subject: [PATCH 06/11] GC may get stuck during parsing and avoids proper resizing of the string
+ table, making its lists grow too much and degrading performance.
+ reported by Sean Conner on 10 Nov 2009.
+
+---
+
+diff --git a/src/llex.c b/src/llex.c
+index 6dc3193..92d6575 100644
+--- a/src/llex.c
++++ b/src/llex.c
+@@ -118,8 +118,10 @@ TString *luaX_newstring (LexState *ls, const char *str, size_t l) {
+   lua_State *L = ls->L;
+   TString *ts = luaS_newlstr(L, str, l);
+   TValue *o = luaH_setstr(L, ls->fs->h, ts);  /* entry for `str' */
+-  if (ttisnil(o))
++  if (ttisnil(o)) {
+     setbvalue(o, 1);  /* make sure `str' will not be collected */
++    luaC_checkGC(L);
++  }
+   return ts;
+ }
+
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch
new file mode 100644
index 0000000..7d740ca
--- /dev/null
+++ b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch
@@ -0,0 +1,39 @@
+From ce47c22d52dcc4996c03e073ddf94398aa42411e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:21:46 +0100
+Subject: [PATCH 07/11] string.format may get buffer as an argument when there are missing
+ arguments and format string is too long.
+
+reported by Roberto on 12 Apr 2010.
+Example:
+--
+x = string.rep("x", 10000) .. "%d"
+print(string.format(x))    -- gives wrong error message
+--
+---
+
+diff --git a/src/lstrlib.c b/src/lstrlib.c
+index 1b4763d..fe452ce 100644
+--- a/src/lstrlib.c
++++ b/src/lstrlib.c
+@@ -754,6 +754,7 @@ static void addintlen (char *form) {
+
+
+ static int str_format (lua_State *L) {
++  int top = lua_gettop(L);
+   int arg = 1;
+   size_t sfl;
+   const char *strfrmt = luaL_checklstring(L, arg, &sfl);
+@@ -768,7 +769,8 @@ static int str_format (lua_State *L) {
+     else { /* format item */
+       char form[MAX_FORMAT];  /* to store the format (`%...') */
+       char buff[MAX_ITEM];  /* to store the formatted item */
+-      arg++;
++      if (++arg > top)
++        luaL_argerror(L, arg, "no value");
+       strfrmt = scanformat(L, strfrmt, form);
+       switch (*strfrmt++) {
+         case 'c': {
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
new file mode 100644
index 0000000..aab63bb
--- /dev/null
+++ b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
@@ -0,0 +1,32 @@
+From 224bbe29a295851544712b4470f7a48f338cddaa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:23:53 +0100
+Subject: [PATCH 08/11] io.read("*n", "*n") may return garbage if second read fails.
+
+reported by Roberto on 12 Apr 2010.
+Example:
+--
+print(io.read("*n", "*n"))   --<< enter "10   hi"
+--> file (0x884420)    nil
+--
+---
+
+diff --git a/src/liolib.c b/src/liolib.c
+index e79ed1c..8de2547 100644
+--- a/src/liolib.c
++++ b/src/liolib.c
+@@ -276,7 +276,10 @@ static int read_number (lua_State *L, FILE *f) {
+     lua_pushnumber(L, d);
+     return 1;
+   }
+-  else return 0;  /* read fails */
++  else {
++    lua_pushnil(L);  /* "result" to be removed */
++    return 0;  /* read fails */
++  }
+ }
+
+
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
new file mode 100644
index 0000000..a3656ad
--- /dev/null
+++ b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
@@ -0,0 +1,50 @@
+From 14c92823c5877a458ddcfa2c90d0b03ea873baa3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:25:18 +0100
+Subject: [PATCH 09/11] Wrong code generation for some particular boolean expressions.
+
+reported by Thierry Van Elsuwe on 20 Jan 2011.
+Example:
+--
+print((('hi' or true) and true) or true)
+--> hi     (should be true)
+print(((nil and nil) or false) and true)
+--> nil    (should be false)
+--
+---
+
+diff --git a/src/lcode.c b/src/lcode.c
+index 84f286b..c13066e 100644
+--- a/src/lcode.c
++++ b/src/lcode.c
+@@ -549,13 +549,6 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) {
+       pc = e->u.s.info;
+       break;
+     }
+-    case VFALSE: {
+-      if (!hasjumps(e)) {
+-        pc = luaK_jump(fs);  /* always jump */
+-        break;
+-      }
+-      /* else go through */
+-    }
+     default: {
+       pc = jumponcond(fs, e, 0);
+       break;
+@@ -579,13 +572,6 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) {
+       pc = e->u.s.info;
+       break;
+     }
+-    case VTRUE: {
+-      if (!hasjumps(e)) {
+-        pc = luaK_jump(fs);  /* always jump */
+-        break;
+-      }
+-      /* else go through */
+-    }
+     default: {
+       pc = jumponcond(fs, e, 1);
+       break;
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
new file mode 100644
index 0000000..d0424f0
--- /dev/null
+++ b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
@@ -0,0 +1,31 @@
+From 81ff350a91cb1c248e96366eed3049386c5f2cba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:27:04 +0100
+Subject: [PATCH 10/11] __newindex metamethod may not work if metatable is its own metatable.
+
+reported by Cuero Bugot on 09 Aug 2011.
+Example:
+--
+meta={}
+setmetatable(meta, meta)
+meta.__newindex = function(t, key, value) print("set") end
+o = setmetatable({}, meta)
+o.x = 10    -- should print 'set'
+--
+---
+
+diff --git a/src/lvm.c b/src/lvm.c
+index 4ac2e71..ca7bea0 100644
+--- a/src/lvm.c
++++ b/src/lvm.c
+@@ -142,6 +142,7 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) {
+       if (!ttisnil(oldval) ||  /* result is no nil? */
+           (tm = fasttm(L, h->metatable, TM_NEWINDEX)) == NULL) { /* or no TM? */
+         setobj2t(L, oldval, val);
++        h->flags = 0;
+         luaC_barriert(L, h, val);
+         return;
+       }
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch
new file mode 100644
index 0000000..7428e3b
--- /dev/null
+++ b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch
@@ -0,0 +1,26 @@
+From 23449ee61f062a18926f11a216f9906155f259b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
+Date: Tue, 6 Dec 2011 14:28:19 +0100
+Subject: [PATCH 11/11] Parser may collect a prototype while building it.
+
+reported by Ingo van Lil on 13 Oct 2011.
+---
+
+diff --git a/src/lparser.c b/src/lparser.c
+index 1e2a9a8..a2721d2 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -374,9 +374,9 @@ static void close_func (LexState *ls) {
+   lua_assert(luaG_checkcode(f));
+   lua_assert(fs->bl == NULL);
+   ls->fs = fs->prev;
+-  L->top -= 2;  /* remove table and prototype from the stack */
+   /* last token read was anchored in defunct function; must reanchor it */
+   if (fs) anchor_token(ls);
++  L->top -= 2;  /* remove table and prototype from the stack */
+ }
+
+
+--
+1.7.2.5
+
diff --git a/patches/lua-5.1.4/series b/patches/lua-5.1.4/series
index 2c51e37..5f3e6b4 100644
--- a/patches/lua-5.1.4/series
+++ b/patches/lua-5.1.4/series
@@ -1,3 +1,14 @@
 remove-Makefile.diff
 autoconfize.diff
 automakize.diff
+#0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch
+#0002-It-is-possible-to-create-functions-that-return-too-m.patch
+0003-Wrong-code-generation-for-some-particular-boolean-ex.patch
+0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch
+0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch
+0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch
+0007-string.format-may-get-buffer-as-an-argument-when-the.patch
+0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch
+0009-Wrong-code-generation-for-some-particular-boolean-ex.patch
+0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch
+0011-Parser-may-collect-a-prototype-while-building-it.patch
--
1.7.2.5


________________________________

Ce courriel et toutes les pièces jointes sont confidentiels et peuvent être couverts par un privilège ou une protection légale. Il est établi à l’attention exclusive de ses destinataires. Toute utilisation de ce courriel non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse préalable.
This email and any attachment are confidential and may be legally privileged or otherwise protected from disclosure. It is intended only for the stated addressee(s) and access to it by any other person(s) is unauthorized. Any use, dissemination or disclosure not in accordance with its purpose, either in whole or in part, is prohibited without our prior formal approval.
-- 
ptxdist mailing list
ptxdist@pengutronix.de