Skip to content

Commit 57b1f90

Browse files
antirezantirez
committed
Fix critical security issue.
CVE-2018-11218 See also http://antirez.com/news/119.
1 parent 4d94cab commit 57b1f90

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

lua_cmsgpack.c

+10
Original file line numberDiff line numberDiff line change
@@ -385,6 +385,7 @@ void mp_encode_lua_table_as_array(lua_State *L, mp_buf *buf, int level) {
385385
#endif
386386

387387
mp_encode_array(L,buf,len);
388+
luaL_checkstack(L, 1, "in function mp_encode_lua_table_as_array");
388389
for (j = 1; j <= len; j++) {
389390
lua_pushnumber(L,j);
390391
lua_gettable(L,-2);
@@ -400,6 +401,7 @@ void mp_encode_lua_table_as_map(lua_State *L, mp_buf *buf, int level) {
400401
* Lua API, we need to iterate a first time. Note that an alternative
401402
* would be to do a single run, and then hack the buffer to insert the
402403
* map opcodes for message pack. Too hackish for this lib. */
404+
luaL_checkstack(L, 3, "in function mp_encode_lua_table_as_map");
403405
lua_pushnil(L);
404406
while(lua_next(L,-2)) {
405407
lua_pop(L,1); /* remove value, keep key for next iteration. */
@@ -515,10 +517,14 @@ int mp_pack(lua_State *L) {
515517
if (nargs == 0)
516518
return luaL_argerror(L, 0, "MessagePack pack needs input.");
517519

520+
if (!lua_checkstack(L, nargs))
521+
return luaL_argerror(L, 0, "Too many arguments for MessagePack pack.");
522+
518523
buf = mp_buf_new(L);
519524
for(i = 1; i <= nargs; i++) {
520525
/* Copy argument i to top of stack for _encode processing;
521526
* the encode function pops it from the stack when complete. */
527+
luaL_checkstack(L, 1, "in function mp_check");
522528
lua_pushvalue(L, i);
523529

524530
mp_encode_lua_type(L,buf,0);
@@ -547,6 +553,7 @@ void mp_decode_to_lua_array(lua_State *L, mp_cur *c, size_t len) {
547553
int index = 1;
548554

549555
lua_newtable(L);
556+
luaL_checkstack(L, 1, "in function mp_decode_to_lua_array");
550557
while(len--) {
551558
lua_pushnumber(L,index++);
552559
mp_decode_to_lua_type(L,c);
@@ -821,6 +828,9 @@ int mp_unpack_full(lua_State *L, int limit, int offset) {
821828
* subtract the entire buffer size from the unprocessed size
822829
* to get our next start offset */
823830
int offset = len - c.left;
831+
832+
luaL_checkstack(L, 1, "in function mp_unpack_full");
833+
824834
/* Return offset -1 when we have have processed the entire buffer. */
825835
lua_pushinteger(L, c.left == 0 ? -1 : offset);
826836
/* Results are returned with the arg elements still

0 commit comments

Comments
 (0)