packages/lua
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-24370

Browse Source
This commit is contained in:
zhuofeng 2024-09-20 15:20:32 +08:00
parent 2d84f2b2cd
commit ec1cc520fb
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
CVE-2020-24370.patch Normal file
View File

@ -0,0 +1,37 @@
From a585eae6e7ada1ca9271607a4f48dfb17868ab7b Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Mon, 27 Jul 2020 12:01:38 -0300
Subject: [PATCH] Fixed bug: Negation overflow in getlocal/setlocal
---
src/ldebug.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/ldebug.c b/src/ldebug.c
index e1389296e..bb0e1d4ac 100644
--- a/src/ldebug.c
+++ b/src/ldebug.c
@@ -133,10 +133,11 @@ static const char *upvalname (Proto *p, int uv) {
static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
int nparams = clLvalue(ci->func)->p->numparams;
- if (n >= cast_int(ci->u.l.base - ci->func) - nparams)
+ int nvararg = cast_int(ci->u.l.base - ci->func) - nparams;
+ if (n <= -nvararg)
return NULL; /* no such vararg */
else {
- *pos = ci->func + nparams + n;
+ *pos = ci->func + nparams - n;
return "(*vararg)"; /* generic name for any vararg */
}
}
@@ -148,7 +149,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n,
StkId base;
if (isLua(ci)) {
if (n < 0) /* access to vararg values? */
- return findvararg(ci, -n, pos);
+ return findvararg(ci, n, pos);
else {
base = ci->u.l.base;
name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));

10
lua.spec
View File

@ -6,7 +6,7 @@
Name: lua Name: lua
Version: 5.3.5 Version: 5.3.5
Release: 4 Release: 5
Summary: A powerful, efficient, lightweight, embeddable scripting language Summary: A powerful, efficient, lightweight, embeddable scripting language
License: MIT License: MIT
URL: http://www.lua.org/ URL: http://www.lua.org/
@ -26,6 +26,7 @@ Patch3: lua-5.3.0-configure-compat-module.patch
#Patch for cves #Patch for cves
Patch6000: lua-CVE-2019-6706.patch Patch6000: lua-CVE-2019-6706.patch
Patch6001: CVE-2020-24370.patch
BuildRequires: automake autoconf libtool readline-devel ncurses-devel BuildRequires: automake autoconf libtool readline-devel ncurses-devel
@ -63,6 +64,7 @@ sed -i 's|5.3.0|%{version}|g' configure.ac
autoreconf -ifv autoreconf -ifv
%patch6000 -p1 %patch6000 -p1
%patch6001 -p1
%build %build
%configure --with-readline --with-compat-module %configure --with-readline --with-compat-module
@ -133,6 +135,12 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{_bindir}/lua -e"_U=
%{_mandir}/man1/lua*.1* %{_mandir}/man1/lua*.1*
%changelog %changelog
* Fri Sep 20 2024 zhuofeng <zhuofeng2@huawei.com> - 5.3.5-5
- Type:CVE
- CVE:CVE-2020-24370
- SUG:NA
- DESC:fix CVE-2020-24370
* Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 5.3.5-4 * Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 5.3.5-4
- Package rebuild - Package rebuild