MFC r366760: lua: update to 5.3.6

This release contains some minor bugfixes; notably:
- 2x minor Makefile fixes (not used in base)
- Long brackets with a huge number of '=' overflow some internal buffer
  arithmetic.
- Joining an upvalue with itself can cause a use-after-free crash.

See here for examples: http://www.lua.org/bugs.html#5.3.5

MFC after:	2 weeks
This commit is contained in:
Kyle Evans 2020-10-16 17:03:27 +00:00
commit bf9580a118
16 changed files with 104 additions and 52 deletions

View File

@ -46,7 +46,7 @@ TO_MAN= lua.1 luac.1
# Lua version and release.
V= 5.3
R= $V.4
R= $V.6
# Targets start here.
all: $(PLAT)

View File

@ -1,5 +1,5 @@
This is Lua 5.3.5, released on 26 Jun 2018.
This is Lua 5.3.6, released on 14 Sep 2020.
For installation instructions, license details, and
further information about Lua, see doc/readme.html.

View File

@ -32,7 +32,7 @@ For a complete introduction to Lua programming, see the book
<P>
<SMALL>
Copyright &copy; 2015&ndash;2018 Lua.org, PUC-Rio.
Copyright &copy; 2015&ndash;2020 Lua.org, PUC-Rio.
Freely available under the terms of the
<A HREF="http://www.lua.org/license.html">Lua license</A>.
</SMALL>
@ -318,6 +318,37 @@ Freely available under the terms of the
<A HREF="manual.html#pdf-utf8.len">utf8.len</A><BR>
<A HREF="manual.html#pdf-utf8.offset">utf8.offset</A><BR>
<H3><A NAME="metamethods">metamethods</A></H3>
<P>
<A HREF="manual.html#2.4">__add</A><BR>
<A HREF="manual.html#2.4">__band</A><BR>
<A HREF="manual.html#2.4">__bnot</A><BR>
<A HREF="manual.html#2.4">__bor</A><BR>
<A HREF="manual.html#2.4">__bxor</A><BR>
<A HREF="manual.html#2.4">__call</A><BR>
<A HREF="manual.html#2.4">__concat</A><BR>
<A HREF="manual.html#2.4">__div</A><BR>
<A HREF="manual.html#2.4">__eq</A><BR>
<A HREF="manual.html#2.5.1">__gc</A><BR>
<A HREF="manual.html#2.4">__idiv</A><BR>
<A HREF="manual.html#2.4">__index</A><BR>
<A HREF="manual.html#2.4">__le</A><BR>
<A HREF="manual.html#2.4">__len</A><BR>
<A HREF="manual.html#2.4">__lt</A><BR>
<A HREF="manual.html#pdf-getmetatable">__metatable</A><BR>
<A HREF="manual.html#2.4">__mod</A><BR>
<A HREF="manual.html#2.5.2">__mode</A><BR>
<A HREF="manual.html#2.4">__mul</A><BR>
<A HREF="manual.html#luaL_newmetatable">__name</A><BR>
<A HREF="manual.html#2.4">__newindex</A><BR>
<A HREF="manual.html#pdf-pairs">__pairs</A><BR>
<A HREF="manual.html#2.4">__pow</A><BR>
<A HREF="manual.html#2.4">__shl</A><BR>
<A HREF="manual.html#2.4">__shr</A><BR>
<A HREF="manual.html#2.4">__sub</A><BR>
<A HREF="manual.html#pdf-tostring">__tostring</A><BR>
<A HREF="manual.html#2.4">__unm</A><BR>
<H3><A NAME="env">environment<BR>variables</A></H3>
<P>
<A HREF="manual.html#pdf-LUA_CPATH">LUA_CPATH</A><BR>
@ -609,10 +640,10 @@ Freely available under the terms of the
<P CLASS="footer">
Last update:
Mon Jun 18 22:56:06 -03 2018
Tue Aug 25 13:45:14 UTC 2020
</P>
<!--
Last change: revised for Lua 5.3.5
Last change: revised for Lua 5.3.6
-->
</BODY>

View File

@ -19,7 +19,7 @@ by Roberto Ierusalimschy, Luiz Henrique de Figueiredo, Waldemar Celes
<P>
<SMALL>
Copyright &copy; 2015&ndash;2018 Lua.org, PUC-Rio.
Copyright &copy; 2015&ndash;2020 Lua.org, PUC-Rio.
Freely available under the terms of the
<a href="http://www.lua.org/license.html">Lua license</a>.
</SMALL>
@ -10972,10 +10972,10 @@ and LiteralString, see <a href="#3.1">&sect;3.1</a>.)
<P CLASS="footer">
Last update:
Tue Jun 26 13:16:37 -03 2018
Tue Jul 14 10:32:39 UTC 2020
</P>
<!--
Last change: revised for Lua 5.3.5
Last change: revised for Lua 5.3.6
-->
</body></html>

View File

@ -107,7 +107,7 @@ Here are the details.
<OL>
<LI>
Open a terminal window and move to
the top-level directory, which is named <TT>lua-5.3.5</TT>.
the top-level directory, which is named <TT>lua-5.3.6</TT>.
The <TT>Makefile</TT> there controls both the build process and the installation process.
<P>
<LI>
@ -328,7 +328,7 @@ For details, see
<A HREF="http://www.lua.org/license.html">this</A>.
<BLOCKQUOTE STYLE="padding-bottom: 0em">
Copyright &copy; 1994&ndash;2017 Lua.org, PUC-Rio.
Copyright &copy; 1994&ndash;2020 Lua.org, PUC-Rio.
<P>
Permission is hereby granted, free of charge, to any person obtaining a copy
@ -355,10 +355,10 @@ THE SOFTWARE.
<P CLASS="footer">
Last update:
Mon Jun 18 22:57:33 -03 2018
Tue Jul 14 10:33:01 UTC 2020
</P>
<!--
Last change: revised for Lua 5.3.5
Last change: revised for Lua 5.3.6
-->
</BODY>

View File

@ -102,7 +102,7 @@ c89:
freebsd:
$(MAKE) $(ALL) SYSCFLAGS="-DLUA_USE_LINUX -DLUA_USE_READLINE -I/usr/include/edit" SYSLIBS="-Wl,-E -ledit" CC="cc"
$(MAKE) $(ALL) SYSCFLAGS="-DLUA_USE_LINUX -I/usr/include/edit" SYSLIBS="-Wl,-E -ledit" CC="cc"
generic: $(ALL)

View File

@ -1254,13 +1254,12 @@ LUA_API const char *lua_setupvalue (lua_State *L, int funcindex, int n) {
}
static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) {
static UpVal **getupvalref (lua_State *L, int fidx, int n) {
LClosure *f;
StkId fi = index2addr(L, fidx);
api_check(L, ttisLclosure(fi), "Lua function expected");
f = clLvalue(fi);
api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index");
if (pf) *pf = f;
return &f->upvals[n - 1]; /* get its upvalue pointer */
}
@ -1269,7 +1268,7 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx, int n) {
StkId fi = index2addr(L, fidx);
switch (ttype(fi)) {
case LUA_TLCL: { /* lua closure */
return *getupvalref(L, fidx, n, NULL);
return *getupvalref(L, fidx, n);
}
case LUA_TCCL: { /* C closure */
CClosure *f = clCvalue(fi);
@ -1286,9 +1285,10 @@ LUA_API void *lua_upvalueid (lua_State *L, int fidx, int n) {
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
LClosure *f1;
UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
UpVal **up1 = getupvalref(L, fidx1, n1);
UpVal **up2 = getupvalref(L, fidx2, n2);
if (*up1 == *up2)
return;
luaC_upvdeccount(L, *up1);
*up1 = *up2;
(*up1)->refcount++;

View File

@ -1011,8 +1011,13 @@ static void *l_alloc (void *ud, void *ptr, size_t osize, size_t nsize) {
free(ptr);
return NULL;
}
else
return realloc(ptr, nsize);
else { /* cannot fail when shrinking a block */
void *newptr = realloc(ptr, nsize);
if (newptr == NULL && ptr != NULL && nsize <= osize)
return ptr; /* keep the original block */
else /* no fail or not shrinking */
return newptr; /* use the new block */
}
}

View File

@ -1061,7 +1061,7 @@ static void codecomp (FuncState *fs, BinOpr opr, expdesc *e1, expdesc *e2) {
/*
** Aplly prefix operation 'op' to expression 'e'.
** Apply prefix operation 'op' to expression 'e'.
*/
void luaK_prefix (FuncState *fs, UnOpr op, expdesc *e, int line) {
static const expdesc ef = {VKINT, {0}, NO_JUMP, NO_JUMP};

View File

@ -133,10 +133,11 @@ static const char *upvalname (Proto *p, int uv) {
static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
int nparams = clLvalue(ci->func)->p->numparams;
if (n >= cast_int(ci->u.l.base - ci->func) - nparams)
int nvararg = cast_int(ci->u.l.base - ci->func) - nparams;
if (n <= -nvararg)
return NULL; /* no such vararg */
else {
*pos = ci->func + nparams + n;
*pos = ci->func + nparams - n;
return "(*vararg)"; /* generic name for any vararg */
}
}
@ -148,7 +149,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n,
StkId base;
if (isLua(ci)) {
if (n < 0) /* access to vararg values? */
return findvararg(ci, -n, pos);
return findvararg(ci, n, pos);
else {
base = ci->u.l.base;
name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));

View File

@ -277,6 +277,8 @@ static int io_popen (lua_State *L) {
const char *filename = luaL_checkstring(L, 1);
const char *mode = luaL_optstring(L, 2, "r");
LStream *p = newprefile(L);
luaL_argcheck(L, ((mode[0] == 'r' || mode[0] == 'w') && mode[1] == '\0'),
2, "invalid mode");
p->f = l_popen(L, filename, mode);
p->closef = &io_pclose;
return (p->f == NULL) ? luaL_fileresult(L, 0, filename) : 1;

View File

@ -244,12 +244,12 @@ static int read_numeral (LexState *ls, SemInfo *seminfo) {
/*
** skip a sequence '[=*[' or ']=*]'; if sequence is well formed, return
** its number of '='s; otherwise, return a negative number (-1 iff there
** are no '='s after initial bracket)
** reads a sequence '[=*[' or ']=*]', leaving the last bracket.
** If sequence is well formed, return its number of '='s + 2; otherwise,
** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...').
*/
static int skip_sep (LexState *ls) {
int count = 0;
static size_t skip_sep (LexState *ls) {
size_t count = 0;
int s = ls->current;
lua_assert(s == '[' || s == ']');
save_and_next(ls);
@ -257,11 +257,14 @@ static int skip_sep (LexState *ls) {
save_and_next(ls);
count++;
}
return (ls->current == s) ? count : (-count) - 1;
return (ls->current == s) ? count + 2
: (count == 0) ? 1
: 0;
}
static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
static void read_long_string (LexState *ls, SemInfo *seminfo, size_t sep) {
int line = ls->linenumber; /* initial line (for error message) */
save_and_next(ls); /* skip 2nd '[' */
if (currIsNewline(ls)) /* string starts with a newline? */
@ -295,8 +298,8 @@ static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) {
}
} endloop:
if (seminfo)
seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep),
luaZ_bufflen(ls->buff) - 2*(2 + sep));
seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep,
luaZ_bufflen(ls->buff) - 2 * sep);
}
@ -444,9 +447,9 @@ static int llex (LexState *ls, SemInfo *seminfo) {
/* else is a comment */
next(ls);
if (ls->current == '[') { /* long comment? */
int sep = skip_sep(ls);
size_t sep = skip_sep(ls);
luaZ_resetbuffer(ls->buff); /* 'skip_sep' may dirty the buffer */
if (sep >= 0) {
if (sep >= 2) {
read_long_string(ls, NULL, sep); /* skip long comment */
luaZ_resetbuffer(ls->buff); /* previous call may dirty the buff. */
break;
@ -458,12 +461,12 @@ static int llex (LexState *ls, SemInfo *seminfo) {
break;
}
case '[': { /* long string or simply '[' */
int sep = skip_sep(ls);
if (sep >= 0) {
size_t sep = skip_sep(ls);
if (sep >= 2) {
read_long_string(ls, seminfo, sep);
return TK_STRING;
}
else if (sep != -1) /* '[=...' missing second bracket */
else if (sep == 0) /* '[=...' missing second bracket */
lexerror(ls, "invalid long string delimiter", TK_STRING);
return '[';
}

View File

@ -266,7 +266,7 @@ static const char *l_str2dloc (const char *s, lua_Number *result, int mode) {
** - 'n'/'N' means 'inf' or 'nan' (which should be rejected)
** - '.' just optimizes the search for the common case (nothing special)
** This function accepts both the current locale or a dot as the radix
** mark. If the convertion fails, it may mean number has a dot but
** mark. If the conversion fails, it may mean number has a dot but
** locale accepts something else. In that case, the code copies 's'
** to a buffer (because 's' is read-only), changes the dot to the
** current locale radix mark, and tries to convert again.

View File

@ -544,6 +544,7 @@ static void open_func (LexState *ls, FuncState *fs, BlockCnt *bl) {
fs->bl = NULL;
f = fs->f;
f->source = ls->source;
luaC_objbarrier(ls->L, f, f->source);
f->maxstacksize = 2; /* registers 0/1 are always valid */
enterblock(fs, bl, 0);
}
@ -1616,6 +1617,7 @@ static void mainfunc (LexState *ls, FuncState *fs) {
fs->f->is_vararg = 1; /* main function is always declared vararg */
init_exp(&v, VLOCAL, 0); /* create and... */
newupvalue(fs, ls->envn, &v); /* ...set environment upvalue */
luaC_objbarrier(ls->L, fs->f, ls->envn);
luaX_next(ls); /* read first token */
statlist(ls); /* parse main body */
check(ls, TK_EOS);
@ -1634,6 +1636,7 @@ LClosure *luaY_parser (lua_State *L, ZIO *z, Mbuffer *buff,
sethvalue(L, L->top, lexstate.h); /* anchor it */
luaD_inctop(L);
funcstate.f = cl->p = luaF_newproto(L);
luaC_objbarrier(L, cl, cl->p);
funcstate.f->source = luaS_new(L, name); /* create and anchor TString */
lua_assert(iswhite(funcstate.f)); /* do not need barrier here */
lexstate.buff = buff;

View File

@ -1,5 +1,4 @@
/*
** $Id: lua.h,v 1.332.1.2 2018/06/13 16:58:17 roberto Exp $
** Lua - A Scripting Language
** Lua.org, PUC-Rio, Brazil (http://www.lua.org)
** See Copyright Notice at the end of this file
@ -19,11 +18,11 @@
#define LUA_VERSION_MAJOR "5"
#define LUA_VERSION_MINOR "3"
#define LUA_VERSION_NUM 503
#define LUA_VERSION_RELEASE "5"
#define LUA_VERSION_RELEASE "6"
#define LUA_VERSION "Lua " LUA_VERSION_MAJOR "." LUA_VERSION_MINOR
#define LUA_RELEASE LUA_VERSION "." LUA_VERSION_RELEASE
#define LUA_COPYRIGHT LUA_RELEASE " Copyright (C) 1994-2018 Lua.org, PUC-Rio"
#define LUA_COPYRIGHT LUA_RELEASE " Copyright (C) 1994-2020 Lua.org, PUC-Rio"
#define LUA_AUTHORS "R. Ierusalimschy, L. H. de Figueiredo, W. Celes"
@ -460,7 +459,7 @@ struct lua_Debug {
/******************************************************************************
* Copyright (C) 1994-2018 Lua.org, PUC-Rio.
* Copyright (C) 1994-2020 Lua.org, PUC-Rio.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the

View File

@ -85,8 +85,10 @@ static lua_Integer LoadInteger (LoadState *S) {
}
static TString *LoadString (LoadState *S) {
static TString *LoadString (LoadState *S, Proto *p) {
lua_State *L = S->L;
size_t size = LoadByte(S);
TString *ts;
if (size == 0xFF)
LoadVar(S, size);
if (size == 0)
@ -94,13 +96,17 @@ static TString *LoadString (LoadState *S) {
else if (--size <= LUAI_MAXSHORTLEN) { /* short string? */
char buff[LUAI_MAXSHORTLEN];
LoadVector(S, buff, size);
return luaS_newlstr(S->L, buff, size);
ts = luaS_newlstr(L, buff, size);
}
else { /* long string */
TString *ts = luaS_createlngstrobj(S->L, size);
ts = luaS_createlngstrobj(L, size);
setsvalue2s(L, L->top, ts); /* anchor it ('loadVector' can GC) */
luaD_inctop(L);
LoadVector(S, getstr(ts), size); /* load directly in final place */
return ts;
L->top--; /* pop string */
}
luaC_objbarrier(L, p, ts);
return ts;
}
@ -140,7 +146,7 @@ static void LoadConstants (LoadState *S, Proto *f) {
break;
case LUA_TSHRSTR:
case LUA_TLNGSTR:
setsvalue2n(S->L, o, LoadString(S));
setsvalue2n(S->L, o, LoadString(S, f));
break;
default:
lua_assert(0);
@ -158,6 +164,7 @@ static void LoadProtos (LoadState *S, Proto *f) {
f->p[i] = NULL;
for (i = 0; i < n; i++) {
f->p[i] = luaF_newproto(S->L);
luaC_objbarrier(S->L, f, f->p[i]);
LoadFunction(S, f->p[i], f->source);
}
}
@ -189,18 +196,18 @@ static void LoadDebug (LoadState *S, Proto *f) {
for (i = 0; i < n; i++)
f->locvars[i].varname = NULL;
for (i = 0; i < n; i++) {
f->locvars[i].varname = LoadString(S);
f->locvars[i].varname = LoadString(S, f);
f->locvars[i].startpc = LoadInt(S);
f->locvars[i].endpc = LoadInt(S);
}
n = LoadInt(S);
for (i = 0; i < n; i++)
f->upvalues[i].name = LoadString(S);
f->upvalues[i].name = LoadString(S, f);
}
static void LoadFunction (LoadState *S, Proto *f, TString *psource) {
f->source = LoadString(S);
f->source = LoadString(S, f);
if (f->source == NULL) /* no source in dump? */
f->source = psource; /* reuse parent's source */
f->linedefined = LoadInt(S);
@ -271,6 +278,7 @@ LClosure *luaU_undump(lua_State *L, ZIO *Z, const char *name) {
setclLvalue(L, L->top, cl);
luaD_inctop(L);
cl->p = luaF_newproto(L);
luaC_objbarrier(L, cl, cl->p);
LoadFunction(&S, cl->p, NULL);
lua_assert(cl->nupvalues == cl->p->sizeupvalues);
luai_verifycode(L, buff, cl->p);