nethack-gwaa-kiwi/nethack
1
0
Fork 0
Code Pull Requests Activity

Lua error reporting buffer overflow

Browse Source 
nhl_error() was clobbering the stack.  I assume that the 'source'
field in the Lua debugging structure is normally a file name, but
nethack loads an entire Lua script into one long string because it
usually comes out of the DLB container, and 'source' contained the
full string.  That would overflow the local buffer in nhl_error()
if nethack encountered a Lua problem and tried to report it. (In
my case, the problem was in a level description file modification.)

[Not something under user control unless user can modify dat/*.lua
and put the result into $HACKDIR/nhdat.]
This commit is contained in:
PatR
2020-01-24 12:52:35 -08:00
parent 424750867a
commit b2fa6292db
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/fixes37.0
View File

@@ -1,4 +1,4 @@
$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.71 $ $NHDT-Date: 1579655025 2020/01/22 01:03:45 $
$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.72 $ $NHDT-Date: 1579899144 2020/01/24 20:52:24 $
General Fixes and Modified Features
-----------------------------------
@@ -74,6 +74,7 @@ if running and Blind or Stunned or Fumbling or Dex < 10, encountering a closed
data.base lookup of an entry with any blank lines would falsely claim that
"'data' file in wrong fromat or corrupted" after some extra checks
were added while investigating tab handling anomalies
using nhl_error() to report a Lua processing problem would clobber the stack
Platform- and/or Interface-Specific Fixes

12
src/nhlua.c
View File

@@ -1,4 +1,4 @@
/* NetHack 3.7 nhlua.c $NHDT-Date: 1575246766 2019/12/02 00:32:46 $ $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.16 $ */
/* NetHack 3.7 nhlua.c $NHDT-Date: 1579899144 2020/01/24 20:52:24 $ $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.28 $ */
/* Copyright (c) 2018 by Pasi Kallinen */
/* NetHack may be freely redistributed. See license for details. */
@@ -44,8 +44,16 @@ const char *msg;
lua_getstack(L, 1, &ar);
lua_getinfo(L, "lS", &ar);
Sprintf(buf, "%s (line %i%s)", msg, ar.currentline, ar.source);
Sprintf(buf, "%s (line %d ", msg, ar.currentline);
Sprintf(eos(buf), "%.*s)",
/* (max length of ar.short_src is actually LUA_IDSIZE
so this is overkill for it, but crucial for ar.source) */
(int) (sizeof buf - (strlen(buf) + sizeof ")")),
ar.short_src); /* (used to be 'ar.source' here) */
lua_pushstring(L, buf);
#if 0 /* defined(PANICTRACE) && !defined(NO_SIGNALS) */
panictrace_setsignals(FALSE);
#endif
(void) lua_error(L);
/*NOTREACHED*/
}