From 5a6dbf6124cafa236ee3355419548302090bd395 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C5=8Dshin?= <git@wholezero.org>
Date: Sat, 18 May 2024 16:18:08 -0700
Subject: [PATCH] Fix buffer overflow in os.tmpname

At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp
that takes up to 120 or so bytes to spell. Instead of overflowing, we do
a bounds check and the function fails successfully on even longer /tmps.

Fixes #1108 (os.tmpname crashes redbean)
---
 third_party/lua/loslib.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/third_party/lua/loslib.c b/third_party/lua/loslib.c
index 2693ac51b..2c8e120e3 100644
--- a/third_party/lua/loslib.c
+++ b/third_party/lua/loslib.c
@@ -133,12 +133,12 @@ __static_yoink("lua_notice");
 
 #if defined(LUA_USE_POSIX)	/* { */
 
-#define LUA_TMPNAMBUFSIZE	32
+#define LUA_TMPNAMBUFSIZE	128
 
 #define lua_tmpnam(b,e) { \
-        strcpy(b, __get_tmpdir()); \
-        strcat(b, "lua_XXXXXX"); \
-        e = mkstemp(b); \
+        strlcpy(b, __get_tmpdir(), LUA_TMPNAMBUFSIZE); \
+        e = strlcat(b, "lua_XXXXXX", LUA_TMPNAMBUFSIZE) >= LUA_TMPNAMBUFSIZE; \
+        e = e ? -1 : mkstemp(b); \
         if (e != -1) close(e); \
         e = (e == -1); }