From 4fc48c50fe3f3f5a9680bada5c0c0d0d7eb345a3 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sat, 25 May 2024 16:22:39 +0200
Subject: [PATCH] Limit number of string format elements to compile.

Reported by pwnhacker0x18. #1203
---
 src/lj_ffrecord.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lj_ffrecord.c b/src/lj_ffrecord.c
index 923824d9..b298d3f7 100644
--- a/src/lj_ffrecord.c
+++ b/src/lj_ffrecord.c
@@ -1005,6 +1005,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
   GCstr *fmt = argv2str(J, &rd->argv[arg]);
   FormatState fs;
   SFormat sf;
+  int nfmt = 0;
   /* Specialize to the format string. */
   emitir(IRTG(IR_EQ, IRT_STR), trfmt, lj_ir_kstr(J, fmt));
   lj_strfmt_init(&fs, strdata(fmt), fmt->len);
@@ -1082,6 +1083,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
       recff_nyiu(J, rd);
       return;
     }
+    if (++nfmt > 100) lj_trace_err(J, LJ_TRERR_TRACEOV);
   }
   if (sbufx) {
     emitir(IRT(IR_USE, IRT_NIL), tr, 0);