Skip to content

Commit

Permalink
Fix buffer overflow in os.tmpname
Browse files Browse the repository at this point in the history 
At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp
that takes up to 120 or so bytes to spell. Instead of overflowing, we do
a bounds check and the function fails successfully on even longer /tmps.

Fixes #1108 (os.tmpname crashes redbean)
  • Loading branch information
@mrdomino
mrdomino committed May 19, 2024
1 parent 42891e8 commit 5a6dbf6
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions third_party/lua/loslib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,12 @@ __static_yoink("lua_notice");

#if defined(LUA_USE_POSIX) /* { */

#define LUA_TMPNAMBUFSIZE 32
#define LUA_TMPNAMBUFSIZE 128

#define lua_tmpnam(b,e) { \
strcpy(b, __get_tmpdir()); \
strcat(b, "lua_XXXXXX"); \
e = mkstemp(b); \
strlcpy(b, __get_tmpdir(), LUA_TMPNAMBUFSIZE); \
e = strlcat(b, "lua_XXXXXX", LUA_TMPNAMBUFSIZE) >= LUA_TMPNAMBUFSIZE; \
e = e ? -1 : mkstemp(b); \
if (e != -1) close(e); \
e = (e == -1); }

Expand Down

0 comments on commit 5a6dbf6

Please sign in to comment.