1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From: =?UTF-8?q?Beno=C3=AEt=20Burnichon?= <benoit.burnichon@airtag.com>
Date: Tue, 6 Dec 2011 14:21:46 +0100
Subject: [PATCH] string.format may get buffer as an argument when there are
missing arguments and format string is too long.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Comes from http://www.lua.org/bugs.html#5.1.4-7
reported by Roberto on 12 Apr 2010.
Example:
--
x = string.rep("x", 10000) .. "%d"
print(string.format(x)) -- gives wrong error message
--
Signed-off-by: Benoît Burnichon <benoit.burnichon@airtag.com>
---
src/lstrlib.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/lstrlib.c b/src/lstrlib.c
index 1b4763d..fe452ce 100644
--- a/src/lstrlib.c
+++ b/src/lstrlib.c
@@ -754,6 +754,7 @@ static void addintlen (char *form) {
static int str_format (lua_State *L) {
+ int top = lua_gettop(L);
int arg = 1;
size_t sfl;
const char *strfrmt = luaL_checklstring(L, arg, &sfl);
@@ -768,7 +769,8 @@ static int str_format (lua_State *L) {
else { /* format item */
char form[MAX_FORMAT]; /* to store the format (`%...') */
char buff[MAX_ITEM]; /* to store the formatted item */
- arg++;
+ if (++arg > top)
+ luaL_argerror(L, arg, "no value");
strfrmt = scanformat(L, strfrmt, form);
switch (*strfrmt++) {
case 'c': {
|