BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket

In hlua_socket_receive_yield(), when we try to get a line, the trailing CRLF is
stripped by decrementing the block length. The '\n' is first skipped, then,
possible a preceeding '\r'. But the block lenght is never checked. If an empty
line is returned, this leads to an integer underflow and most probably to a
crash because this length is used to copy data into a LUA string.

To fix the issue, the block length is now properly tested against 0 before
decrementing it.

This patch must be backported to all stable versions.

diff --git a/src/hlua.c b/src/hlua.c
index cde144ab21bfc86f9197da10aa82bd3cb94cc607..b87b587e4702f50751685c9ec49554d3e3204af9 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2949,20 +2949,20 @@ __LJMP static int hlua_socket_receive_yield(struct lua_State *L, int status, lua
 
                /* remove final \r\n. */
                if (nblk == 1) {
-                       if (blk1[len1-1] == '\n') {
+                       if (len1 && blk1[len1-1] == '\n') {
                                len1--;
                                skip_at_end++;
-                               if (blk1[len1-1] == '\r') {
+                               if (len1 && blk1[len1-1] == '\r') {
                                        len1--;
                                        skip_at_end++;
                                }
                        }
                }
                else {
-                       if (blk2[len2-1] == '\n') {
+                       if (len2 && blk2[len2-1] == '\n') {
                                len2--;
                                skip_at_end++;
-                               if (blk2[len2-1] == '\r') {
+                               if (len2 && blk2[len2-1] == '\r') {
                                        len2--;
                                        skip_at_end++;
                                }