diff options
author | Benoît Burnichon <benoit.burnichon@airtag.com> | 2011-12-08 17:26:06 +0100 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2011-12-09 14:50:39 +0100 |
commit | 0d0498774abe6b2789d019a1c5b86b7bb21ac860 (patch) | |
tree | 4d0884b80639eec77d43fe196b956c310e389c19 /patches/lua-5.1.4 | |
parent | d9cc5e378b7a1dbc755c9f77fc055fdf7c022231 (diff) | |
download | ptxdist-0d0498774abe6b2789d019a1c5b86b7bb21ac860.tar.gz ptxdist-0d0498774abe6b2789d019a1c5b86b7bb21ac860.tar.xz |
lua: update to the latest bugfix patch
Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches/lua-5.1.4')
12 files changed, 426 insertions, 0 deletions
diff --git a/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch new file mode 100644 index 000000000..afd36d296 --- /dev/null +++ b/patches/lua-5.1.4/0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch @@ -0,0 +1,11 @@ +From 293f82d33cd67b7f48e078788af6a4b2887c16bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:05:35 +0100 +Subject: [PATCH 01/11] Maliciously crafted precompiled code can crash Lua + +Comes from http://www.lua.org/bugs.html#5.1.4-1 + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + diff --git a/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch new file mode 100644 index 000000000..428dcfd4e --- /dev/null +++ b/patches/lua-5.1.4/0002-It-is-possible-to-create-functions-that-return-too-m.patch @@ -0,0 +1,12 @@ +From e5973b1ca3ad83d500f0c85abb78b2a0bf5fbdc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:07:18 +0100 +Subject: [PATCH 02/11] It is possible to create functions that return too many arguments and + overflow the stack of C functions. + +Comes from http://www.lua.org/bugs.html#5.1.4-2 + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + diff --git a/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch new file mode 100644 index 000000000..894258719 --- /dev/null +++ b/patches/lua-5.1.4/0003-Wrong-code-generation-for-some-particular-boolean-ex.patch @@ -0,0 +1,72 @@ +From b40f5fc4341153fc53fa2d0e839223944b022e6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:10:56 +0100 +Subject: [PATCH 03/11] Wrong code generation for some particular boolean expressions. (see also + 9) + +Comes from http://www.lua.org/bugs.html#5.1.4-3 + + reported by Brian Kelley on 15 Apr 2009. + Example: + -- + print(((1 or false) and true) or false) --> 1, but should be 'true' + -- + +Patch: (partial solution; see also 9) + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lcode.c b/src/lcode.c +index cff626b..84f286b 100644 +--- a/src/lcode.c ++++ b/src/lcode.c +@@ -544,15 +544,18 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) { + pc = NO_JUMP; /* always true; do nothing */ + break; + } +- case VFALSE: { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } + case VJMP: { + invertjump(fs, e); + pc = e->u.s.info; + break; + } ++ case VFALSE: { ++ if (!hasjumps(e)) { ++ pc = luaK_jump(fs); /* always jump */ ++ break; ++ } ++ /* else go through */ ++ } + default: { + pc = jumponcond(fs, e, 0); + break; +@@ -572,14 +575,17 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) { + pc = NO_JUMP; /* always false; do nothing */ + break; + } +- case VTRUE: { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } + case VJMP: { + pc = e->u.s.info; + break; + } ++ case VTRUE: { ++ if (!hasjumps(e)) { ++ pc = luaK_jump(fs); /* always jump */ ++ break; ++ } ++ /* else go through */ ++ } + default: { + pc = jumponcond(fs, e, 1); + break; +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch new file mode 100644 index 000000000..7fa62f89b --- /dev/null +++ b/patches/lua-5.1.4/0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch @@ -0,0 +1,51 @@ +From 41f746c9be4330bac1466ab994f147aeef88675d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:13:59 +0100 +Subject: [PATCH 04/11] luaV_settable may invalidate a reference to a table and try to reuse it + +Comes from http://www.lua.org/bugs.html#5.1.4-4 + +reported by Mark Feldman on 27 Jun 2009. +Example: + -- + grandparent = {} + grandparent.__newindex = function(s,_,_) print(s) end + + parent = {} + parent.__newindex = parent + setmetatable(parent, grandparent) + + child = setmetatable({}, parent) + child.foo = 10 --> (crash on some machines) + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lvm.c b/src/lvm.c +index ee3256a..4ac2e71 100644 +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -133,6 +133,7 @@ void luaV_gettable (lua_State *L, const TValue *t, TValue *key, StkId val) { + + void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + int loop; ++ TValue temp; + for (loop = 0; loop < MAXTAGLOOP; loop++) { + const TValue *tm; + if (ttistable(t)) { /* `t' is a table? */ +@@ -152,7 +153,9 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + callTM(L, tm, t, key, val); + return; + } +- t = tm; /* else repeat with `tm' */ ++ /* else repeat with `tm' */ ++ setobj(L, &temp, tm); /* avoid pointing inside table (may rehash) */ ++ t = &temp; + } + luaG_runerror(L, "loop in settable"); + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch new file mode 100644 index 000000000..02052fdad --- /dev/null +++ b/patches/lua-5.1.4/0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch @@ -0,0 +1,32 @@ +From a0e82265587327b15635b61517601cb7c74de07e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:18:20 +0100 +Subject: [PATCH 05/11] debug.getfenv does not check whether it has an argument. + +Comes from http://www.lua.org/bugs.html#5.1.4-5 + +reported by Patrick Donnelly on 30 Jul 2009. +Example: + -- + debug.getfenv() -- should raise an error + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/ldblib.c b/src/ldblib.c +index 67de122..21116ac 100644 +--- a/src/ldblib.c ++++ b/src/ldblib.c +@@ -45,6 +45,7 @@ static int db_setmetatable (lua_State *L) { + + + static int db_getfenv (lua_State *L) { ++ luaL_checkany(L, 1); + lua_getfenv(L, 1); + return 1; + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch new file mode 100644 index 000000000..841a917e4 --- /dev/null +++ b/patches/lua-5.1.4/0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch @@ -0,0 +1,34 @@ +From 4a37f37706e3f89d379a827c8da646d34d136c3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:20:15 +0100 +Subject: [PATCH 06/11] GC may get stuck during parsing and avoids proper resizing of the string + table, making its lists grow too much and degrading performance. + +Comes from http://www.lua.org/bugs.html#5.1.4-6 + + reported by Sean Conner on 10 Nov 2009. + + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/llex.c b/src/llex.c +index 6dc3193..92d6575 100644 +--- a/src/llex.c ++++ b/src/llex.c +@@ -118,8 +118,10 @@ TString *luaX_newstring (LexState *ls, const char *str, size_t l) { + lua_State *L = ls->L; + TString *ts = luaS_newlstr(L, str, l); + TValue *o = luaH_setstr(L, ls->fs->h, ts); /* entry for `str' */ +- if (ttisnil(o)) ++ if (ttisnil(o)) { + setbvalue(o, 1); /* make sure `str' will not be collected */ ++ luaC_checkGC(L); ++ } + return ts; + } + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch new file mode 100644 index 000000000..122528e98 --- /dev/null +++ b/patches/lua-5.1.4/0007-string.format-may-get-buffer-as-an-argument-when-the.patch @@ -0,0 +1,44 @@ +From ce47c22d52dcc4996c03e073ddf94398aa42411e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:21:46 +0100 +Subject: [PATCH 07/11] string.format may get buffer as an argument when there are missing + arguments and format string is too long. + +Comes from http://www.lua.org/bugs.html#5.1.4-7 + +reported by Roberto on 12 Apr 2010. +Example: + -- + x = string.rep("x", 10000) .. "%d" + print(string.format(x)) -- gives wrong error message + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lstrlib.c b/src/lstrlib.c +index 1b4763d..fe452ce 100644 +--- a/src/lstrlib.c ++++ b/src/lstrlib.c +@@ -754,6 +754,7 @@ static void addintlen (char *form) { + + + static int str_format (lua_State *L) { ++ int top = lua_gettop(L); + int arg = 1; + size_t sfl; + const char *strfrmt = luaL_checklstring(L, arg, &sfl); +@@ -768,7 +769,8 @@ static int str_format (lua_State *L) { + else { /* format item */ + char form[MAX_FORMAT]; /* to store the format (`%...') */ + char buff[MAX_ITEM]; /* to store the formatted item */ +- arg++; ++ if (++arg > top) ++ luaL_argerror(L, arg, "no value"); + strfrmt = scanformat(L, strfrmt, form); + switch (*strfrmt++) { + case 'c': { +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch new file mode 100644 index 000000000..080c18f60 --- /dev/null +++ b/patches/lua-5.1.4/0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch @@ -0,0 +1,37 @@ +From 224bbe29a295851544712b4470f7a48f338cddaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:23:53 +0100 +Subject: [PATCH 08/11] io.read("*n", "*n") may return garbage if second read fails. + +Comes from http://www.lua.org/bugs.html#5.1.4-8 + +reported by Roberto on 12 Apr 2010. +Example: + -- + print(io.read("*n", "*n")) --<< enter "10 hi" + --> file (0x884420) nil + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/liolib.c b/src/liolib.c +index e79ed1c..8de2547 100644 +--- a/src/liolib.c ++++ b/src/liolib.c +@@ -276,7 +276,10 @@ static int read_number (lua_State *L, FILE *f) { + lua_pushnumber(L, d); + return 1; + } +- else return 0; /* read fails */ ++ else { ++ lua_pushnil(L); /* "result" to be removed */ ++ return 0; /* read fails */ ++ } + } + + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch new file mode 100644 index 000000000..0ebb3d732 --- /dev/null +++ b/patches/lua-5.1.4/0009-Wrong-code-generation-for-some-particular-boolean-ex.patch @@ -0,0 +1,55 @@ +From 14c92823c5877a458ddcfa2c90d0b03ea873baa3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:25:18 +0100 +Subject: [PATCH 09/11] Wrong code generation for some particular boolean expressions. + +Comes from http://www.lua.org/bugs.html#5.1.4-9 + +reported by Thierry Van Elsuwe on 20 Jan 2011. +Example: + -- + print((('hi' or true) and true) or true) + --> hi (should be true) + print(((nil and nil) or false) and true) + --> nil (should be false) + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lcode.c b/src/lcode.c +index 84f286b..c13066e 100644 +--- a/src/lcode.c ++++ b/src/lcode.c +@@ -549,13 +549,6 @@ void luaK_goiftrue (FuncState *fs, expdesc *e) { + pc = e->u.s.info; + break; + } +- case VFALSE: { +- if (!hasjumps(e)) { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } +- /* else go through */ +- } + default: { + pc = jumponcond(fs, e, 0); + break; +@@ -579,13 +572,6 @@ static void luaK_goiffalse (FuncState *fs, expdesc *e) { + pc = e->u.s.info; + break; + } +- case VTRUE: { +- if (!hasjumps(e)) { +- pc = luaK_jump(fs); /* always jump */ +- break; +- } +- /* else go through */ +- } + default: { + pc = jumponcond(fs, e, 1); + break; +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch new file mode 100644 index 000000000..c6ce00186 --- /dev/null +++ b/patches/lua-5.1.4/0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch @@ -0,0 +1,36 @@ +From 81ff350a91cb1c248e96366eed3049386c5f2cba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:27:04 +0100 +Subject: [PATCH 10/11] __newindex metamethod may not work if metatable is its own metatable. + +Comes from http://www.lua.org/bugs.html#5.1.4-10 + +reported by Cuero Bugot on 09 Aug 2011. +Example: + -- + meta={} + setmetatable(meta, meta) + meta.__newindex = function(t, key, value) print("set") end + o = setmetatable({}, meta) + o.x = 10 -- should print 'set' + -- + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lvm.c b/src/lvm.c +index 4ac2e71..ca7bea0 100644 +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -142,6 +142,7 @@ void luaV_settable (lua_State *L, const TValue *t, TValue *key, StkId val) { + if (!ttisnil(oldval) || /* result is no nil? */ + (tm = fasttm(L, h->metatable, TM_NEWINDEX)) == NULL) { /* or no TM? */ + setobj2t(L, oldval, val); ++ h->flags = 0; + luaC_barriert(L, h, val); + return; + } +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch new file mode 100644 index 000000000..e3785c990 --- /dev/null +++ b/patches/lua-5.1.4/0011-Parser-may-collect-a-prototype-while-building-it.patch @@ -0,0 +1,31 @@ +From 23449ee61f062a18926f11a216f9906155f259b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com> +Date: Tue, 6 Dec 2011 14:28:19 +0100 +Subject: [PATCH 11/11] Parser may collect a prototype while building it. + +Comes from http://www.lua.org/bugs.html#5.1.4-11 + +reported by Ingo van Lil on 13 Oct 2011. + +Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com> + +--- + +diff --git a/src/lparser.c b/src/lparser.c +index 1e2a9a8..a2721d2 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -374,9 +374,9 @@ static void close_func (LexState *ls) { + lua_assert(luaG_checkcode(f)); + lua_assert(fs->bl == NULL); + ls->fs = fs->prev; +- L->top -= 2; /* remove table and prototype from the stack */ + /* last token read was anchored in defunct function; must reanchor it */ + if (fs) anchor_token(ls); ++ L->top -= 2; /* remove table and prototype from the stack */ + } + + +-- +1.7.2.5 + diff --git a/patches/lua-5.1.4/series b/patches/lua-5.1.4/series index 2c51e37c2..5f3e6b417 100644 --- a/patches/lua-5.1.4/series +++ b/patches/lua-5.1.4/series @@ -1,3 +1,14 @@ remove-Makefile.diff autoconfize.diff automakize.diff +#0001-Maliciously-crafted-precompiled-code-can-crash-Lua.patch +#0002-It-is-possible-to-create-functions-that-return-too-m.patch +0003-Wrong-code-generation-for-some-particular-boolean-ex.patch +0004-luaV_settable-may-invalidate-a-reference-to-a-table-.patch +0005-debug.getfenv-does-not-check-whether-it-has-an-argum.patch +0006-GC-may-get-stuck-during-parsing-and-avoids-proper-re.patch +0007-string.format-may-get-buffer-as-an-argument-when-the.patch +0008-io.read-n-n-may-return-garbage-if-second-read-fails.patch +0009-Wrong-code-generation-for-some-particular-boolean-ex.patch +0010-__newindex-metamethod-may-not-work-if-metatable-is-i.patch +0011-Parser-may-collect-a-prototype-while-building-it.patch |