From: Christopher Faulet Date: Fri, 13 Aug 2021 06:11:00 +0000 (+0200) Subject: BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage functions X-Git-Tag: v2.5-dev4~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70c4345dbc19c2e304d8d481ccb391990b61c425;p=thirdparty%2Fhaproxy.git BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage functions In Channel and HTTPMessage classes, several functions uses an offset that may be negative to start from the end of incoming data. But, after calculation, the offset must never be negative. However, there is a bug because of a bad cast to unsigned when "input + offset" is performed. The result must be a signed integer. This patch should fix most of defects reported in the issue #1347. It only affects 2.5-dev. No backport needed. --- diff --git a/src/hlua.c b/src/hlua.c index be95a97296..717380c6bc 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -3120,7 +3120,7 @@ __LJMP static int hlua_channel_get_data_yield(lua_State *L, int status, lua_KCon if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3183,7 +3183,7 @@ __LJMP static int hlua_channel_get_line_yield(lua_State *L, int status, lua_KCon if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3519,9 +3519,8 @@ __LJMP static int hlua_channel_insert_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -3579,7 +3578,7 @@ __LJMP static int hlua_channel_set_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -3653,7 +3652,7 @@ __LJMP static int hlua_channel_del_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -6478,7 +6477,7 @@ __LJMP static int hlua_http_msg_get_body(lua_State *L) if (lua_gettop(L) > 1) { offset = MAY_LJMP(luaL_checkinteger(L, 2)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range."); @@ -6596,9 +6595,8 @@ __LJMP static int hlua_http_msg_insert_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -6639,9 +6637,8 @@ __LJMP static int hlua_http_msg_del_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; - if (offset < output || offset > output + input) { lua_pushfstring(L, "offset out of range."); WILL_LJMP(lua_error(L)); @@ -6701,7 +6698,7 @@ __LJMP static int hlua_http_msg_set_data(lua_State *L) if (lua_gettop(L) > 2) { offset = MAY_LJMP(luaL_checkinteger(L, 3)); if (offset < 0) - offset = MAX(0, input + offset); + offset = MAX(0, (int)input + offset); offset += output; if (offset < output || offset > input + output) { lua_pushfstring(L, "offset out of range.");