lua_newuserdata() and integer overflow

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: lua_newuserdata() and integer overflow
From: Marc Balmer <marc@...>
Date: Tue, 13 Jan 2015 09:40:40 +0100

Traditionally you allocate memory using malloc() and Lua environments you might use lua_newuserdata() to get garbage collection. Now, when you allocate memory for more than one element, usually the idiom malloc(nelem * size) or lua_newuserdata(nelem * size) is used.

The integer multiplication, however, can overflow and lead to buffer overflows.  Try e.g. malloc(65536 * 65536). In C libraries a function calloc(nelem, size) exists, but unfortunately it does not guarantee to not overflow either.  On some operating systems, e.g. FreeBSD, it detects overflow and returns NULL.

I am suggesting to add a function to the Lua C API that is like lua_newuserdata(), but takes two parameters, a size and a number of elements, and that checks for overflow and returns NULL in this case:

lua_newuserdatas(size_t count, size_t size)

Thoughts on this?

Follow-Ups:
- Re: lua_newuserdata() and integer overflow, Roberto Ierusalimschy

Prev by Date: Biggest gotcha in Lua 5.3.0
Next by Date: Re: Memory usage stats for 5.2 vs 5.3
Previous by thread: Re: Biggest gotcha in Lua 5.3.0
Next by thread: Re: lua_newuserdata() and integer overflow
Index(es):
- Date
- Thread