I found this bug doing some experiments with afl++. It's strange that it was not found by oss-fuzz project.
I found a heap a heap buffer overflow on read in luaH_getshortstr
function.
Lua version:
Lua 5.4.4 Copyright (C) 1994-2022 Lua.org, PUC-Rio (commit
5d708c3f9cae12820e415d4f89c9eacbe2ab964b)
How to reprocude:
----------
1. git clone https://github.com/lua/lua -q
2. cd lua/ && make -j$(nproc)
3. echo -n
"bG9jYWwgdSxfLE4sXyx3LE4sZCxXCmZ1bmN0aW9uIGMoRSxMLGwsUyxULHUsTSxULGwsaCxoLHUsdSxsLGgsaCx1LHUsTSx1LHUsdSxsLGgsaCxsKXM9cyBsb2NhbAllLGUsXyxfLE4sZSxzMCxOLFYsXyBmdW5jdGlvbiBjKGIsbClpLHM9TiBsb2NhbCBjIGxvY2FsIF9FTlY8Y29uc3Q+ID0wIG89MCBmdW5jdGlvbiBlKCllbmQ7ZSIicmV0dXJuIGVuZDtlMCxhLHcscyxzLHM9IiJyZXR1cm4jYyIiZW5kO2VlPSIicmV0dXJuDGMiIg=="
| base64 -d > poc
4. ./lua ./poc
----------
Thanks for the report. It seems there is a 'luaK_exp2anyregup' missing
in 'singlevar':
--- a/lparser.c
+++ b/lparser.c
@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
expdesc key;
singlevaraux(fs, ls->envn, var, 1); /* get environment variable */
lua_assert(var->k != VVOID); /* this one must exist */
+ luaK_exp2anyregup(fs, var); /* but could be a constant */
codestring(&key, varname); /* key is variable name */
luaK_indexed(fs, var, &key); /* env[varname] */
}
How did you find this bug?
-- Roberto