From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
Date: Tue, 6 Dec 2011 14:21:46 +0100
Subject: [PATCH] string.format may get buffer as an argument when there are
 missing arguments and format string is too long.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Comes from http://www.lua.org/bugs.html#5.1.4-7

reported by Roberto on 12 Apr 2010.
Example:
 --
 x = string.rep("x", 10000) .. "%d"
 print(string.format(x))    -- gives wrong error message
 --

Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
---
 src/lstrlib.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/lstrlib.c b/src/lstrlib.c
index 1b4763d..fe452ce 100644
--- a/src/lstrlib.c
+++ b/src/lstrlib.c
@@ -754,6 +754,7 @@ static void addintlen (char *form) {
 
 
 static int str_format (lua_State *L) {
+  int top = lua_gettop(L);
   int arg = 1;
   size_t sfl;
   const char *strfrmt = luaL_checklstring(L, arg, &sfl);
@@ -768,7 +769,8 @@ static int str_format (lua_State *L) {
     else { /* format item */
       char form[MAX_FORMAT];  /* to store the format (`%...') */
       char buff[MAX_ITEM];  /* to store the formatted item */
-      arg++;
+      if (++arg > top)
+        luaL_argerror(L, arg, "no value");
       strfrmt = scanformat(L, strfrmt, form);
       switch (*strfrmt++) {
         case 'c': {