From 65c9b28e99e835e408b1b1bbcfd68bc2888b9fa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C5=8Dshin?= Date: Mon, 20 May 2024 00:46:27 -0700 Subject: [PATCH] Fix buffer overflow in os.tmpname (#1180) At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp that takes up to 120 or so bytes to spell. Instead of overflowing, we do a bounds check and the function fails successfully on even longer /tmps. Fixes #1108 (os.tmpname crashes redbean) --- third_party/lua/README.cosmo | 2 ++ third_party/lua/loslib.c | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/third_party/lua/README.cosmo b/third_party/lua/README.cosmo index 1d418f797..6f02aec3c 100644 --- a/third_party/lua/README.cosmo +++ b/third_party/lua/README.cosmo @@ -36,3 +36,5 @@ LOCAL MODIFICATIONS Added Python-like printf modulus operator for strings. Added Python-like printf multiply operator for strings. + + Fixed a buffer overflow in os.tmpname diff --git a/third_party/lua/loslib.c b/third_party/lua/loslib.c index 2693ac51b..2c8e120e3 100644 --- a/third_party/lua/loslib.c +++ b/third_party/lua/loslib.c @@ -133,12 +133,12 @@ __static_yoink("lua_notice"); #if defined(LUA_USE_POSIX) /* { */ -#define LUA_TMPNAMBUFSIZE 32 +#define LUA_TMPNAMBUFSIZE 128 #define lua_tmpnam(b,e) { \ - strcpy(b, __get_tmpdir()); \ - strcat(b, "lua_XXXXXX"); \ - e = mkstemp(b); \ + strlcpy(b, __get_tmpdir(), LUA_TMPNAMBUFSIZE); \ + e = strlcat(b, "lua_XXXXXX", LUA_TMPNAMBUFSIZE) >= LUA_TMPNAMBUFSIZE; \ + e = e ? -1 : mkstemp(b); \ if (e != -1) close(e); \ e = (e == -1); }