gh-mirror/mikepaul-LuaJIT
1
0
Fork 0
mirror of https://github.com/LuaJIT/LuaJIT.git synced 2025-02-07 23:24:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Limit number of string format elements to compile.

Browse Source 
Reported by pwnhacker0x18. #1203
This commit is contained in:
Mike Pall 2024-05-25 16:22:39 +02:00
parent a6386bdabe
commit 4fc48c50fe
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/lj_ffrecord.c
View File

@ -1005,6 +1005,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
GCstr *fmt = argv2str(J, &rd->argv[arg]); GCstr *fmt = argv2str(J, &rd->argv[arg]);
FormatState fs; FormatState fs;
SFormat sf; SFormat sf;
int nfmt = 0;
/* Specialize to the format string. */ /* Specialize to the format string. */
emitir(IRTG(IR_EQ, IRT_STR), trfmt, lj_ir_kstr(J, fmt)); emitir(IRTG(IR_EQ, IRT_STR), trfmt, lj_ir_kstr(J, fmt));
lj_strfmt_init(&fs, strdata(fmt), fmt->len); lj_strfmt_init(&fs, strdata(fmt), fmt->len);
@ -1082,6 +1083,7 @@ static void recff_format(jit_State *J, RecordFFData *rd, TRef hdr, int sbufx)
recff_nyiu(J, rd); recff_nyiu(J, rd);
return; return;
} }
if (++nfmt > 100) lj_trace_err(J, LJ_TRERR_TRACEOV);
} }
if (sbufx) { if (sbufx) {
emitir(IRT(IR_USE, IRT_NIL), tr, 0); emitir(IRT(IR_USE, IRT_NIL), tr, 0);