From aef966d6d4777262881ca86750074a2c4bc0e429 Mon Sep 17 00:00:00 2001 From: Marko Lindqvist Date: Wed, 27 Jul 2022 04:17:24 +0300 Subject: [PATCH 45/45] Apply fix to CVE-2022-33099 in included lua Fix backported from upstream repo. See osdn #45248 Signed-off-by: Marko Lindqvist --- dependencies/lua-5.4/freeciv_lua.patch | 52 +++++++++++++++++++++++--- dependencies/lua-5.4/src/ldebug.c | 5 ++- dependencies/lua-5.4/src/lvm.c | 6 ++- 3 files changed, 54 insertions(+), 9 deletions(-) diff --git a/dependencies/lua-5.4/freeciv_lua.patch b/dependencies/lua-5.4/freeciv_lua.patch index e05ea5ff05..3cad09c1bb 100644 --- a/dependencies/lua-5.4/freeciv_lua.patch +++ b/dependencies/lua-5.4/freeciv_lua.patch @@ -1,5 +1,21 @@ +diff -Nurd lua-5.4/src/ldebug.c lua-5.4/src/ldebug.c +--- lua-5.4/src/ldebug.c 2022-07-27 04:12:01.194770626 +0300 ++++ lua-5.4/src/ldebug.c 2022-07-27 04:12:30.295004426 +0300 +@@ -824,8 +824,11 @@ + va_start(argp, fmt); + msg = luaO_pushvfstring(L, fmt, argp); /* format message */ + va_end(argp); +- if (isLua(ci)) /* if Lua function, add source:line information */ ++ if (isLua(ci)) { /* if Lua function, add source:line information */ + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); ++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ ++ L->top--; ++ } + luaG_errormsg(L); + } + diff -Nurd lua-5.4/src/ldo.c lua-5.4/src/ldo.c ---- lua-5.4/src/ldo.c 2022-04-25 22:43:41.954799101 +0300 +--- lua-5.4/src/ldo.c 2022-07-27 04:12:15.110882400 +0300 +++ lua-5.4/src/ldo.c 2022-04-11 04:08:36.230473165 +0300 @@ -60,7 +60,7 @@ try { a } catch(...) { if ((c)->status == 0) (c)->status = -1; } @@ -22,7 +38,7 @@ diff -Nurd lua-5.4/src/ldo.c lua-5.4/src/ldo.c diff -Nurd lua-5.4/src/liolib.c lua-5.4/src/liolib.c ---- lua-5.4/src/liolib.c 2022-04-25 22:43:41.954799101 +0300 +--- lua-5.4/src/liolib.c 2022-07-27 04:12:15.110882400 +0300 +++ lua-5.4/src/liolib.c 2022-04-11 04:08:36.230473165 +0300 @@ -54,7 +54,7 @@ @@ -43,7 +59,7 @@ diff -Nurd lua-5.4/src/liolib.c lua-5.4/src/liolib.c #include diff -Nurd lua-5.4/src/loslib.c lua-5.4/src/loslib.c ---- lua-5.4/src/loslib.c 2022-04-25 22:43:41.954799101 +0300 +--- lua-5.4/src/loslib.c 2022-07-27 04:12:15.110882400 +0300 +++ lua-5.4/src/loslib.c 2022-04-11 04:08:36.234473192 +0300 @@ -83,7 +83,7 @@ ** where it uses gmtime_r/localtime_r @@ -64,8 +80,8 @@ diff -Nurd lua-5.4/src/loslib.c lua-5.4/src/loslib.c #include diff -Nurd lua-5.4/src/lparser.c lua-5.4/src/lparser.c ---- lua-5.4/src/lparser.c 2022-04-25 22:41:53.602211639 +0300 -+++ lua-5.4/src/lparser.c 2022-04-25 22:42:41.266472066 +0300 +--- lua-5.4/src/lparser.c 2022-07-27 04:12:15.110882400 +0300 ++++ lua-5.4/src/lparser.c 2022-04-27 20:52:05.111044045 +0300 @@ -468,6 +468,7 @@ expdesc key; singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ @@ -75,7 +91,7 @@ diff -Nurd lua-5.4/src/lparser.c lua-5.4/src/lparser.c luaK_indexed(fs, var, &key); /* env[varname] */ } diff -Nurd lua-5.4/src/luaconf.h lua-5.4/src/luaconf.h ---- lua-5.4/src/luaconf.h 2022-04-25 22:43:41.954799101 +0300 +--- lua-5.4/src/luaconf.h 2022-07-27 04:12:15.114882434 +0300 +++ lua-5.4/src/luaconf.h 2022-04-11 04:08:36.234473192 +0300 @@ -11,6 +11,7 @@ #include @@ -85,3 +101,27 @@ diff -Nurd lua-5.4/src/luaconf.h lua-5.4/src/luaconf.h /* ** =================================================================== +diff -Nurd lua-5.4/src/lvm.c lua-5.4/src/lvm.c +--- lua-5.4/src/lvm.c 2022-07-27 04:12:01.198770660 +0300 ++++ lua-5.4/src/lvm.c 2022-07-27 04:12:30.295004426 +0300 +@@ -656,8 +656,10 @@ + /* collect total length and number of strings */ + for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { + size_t l = vslen(s2v(top - n - 1)); +- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { ++ L->top = top - total; /* pop strings to avoid wasting stack */ + luaG_runerror(L, "string length overflow"); ++ } + tl += l; + } + if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ +@@ -672,7 +674,7 @@ + setsvalue2s(L, top - n, ts); /* create result */ + } + total -= n-1; /* got 'n' strings to create 1 new */ +- L->top -= n-1; /* popped 'n' strings and pushed one */ ++ L->top = top - (n - 1); /* popped 'n' strings and pushed one */ + } while (total > 1); /* repeat until only 1 result left */ + } + diff --git a/dependencies/lua-5.4/src/ldebug.c b/dependencies/lua-5.4/src/ldebug.c index a716d95e22..fa15eaf68e 100644 --- a/dependencies/lua-5.4/src/ldebug.c +++ b/dependencies/lua-5.4/src/ldebug.c @@ -824,8 +824,11 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) { va_start(argp, fmt); msg = luaO_pushvfstring(L, fmt, argp); /* format message */ va_end(argp); - if (isLua(ci)) /* if Lua function, add source:line information */ + if (isLua(ci)) { /* if Lua function, add source:line information */ luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); + setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ + L->top--; + } luaG_errormsg(L); } diff --git a/dependencies/lua-5.4/src/lvm.c b/dependencies/lua-5.4/src/lvm.c index 2ec3440031..154a6262f2 100644 --- a/dependencies/lua-5.4/src/lvm.c +++ b/dependencies/lua-5.4/src/lvm.c @@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int total) { /* collect total length and number of strings */ for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { size_t l = vslen(s2v(top - n - 1)); - if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) + if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { + L->top = top - total; /* pop strings to avoid wasting stack */ luaG_runerror(L, "string length overflow"); + } tl += l; } if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ @@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int total) { setsvalue2s(L, top - n, ts); /* create result */ } total -= n-1; /* got 'n' strings to create 1 new */ - L->top -= n-1; /* popped 'n' strings and pushed one */ + L->top = top - (n - 1); /* popped 'n' strings and pushed one */ } while (total > 1); /* repeat until only 1 result left */ } -- 2.35.1