commit 70c4345dbc19c2e304d8d481ccb391990b61c425
author Christopher Faulet <cfaulet@haproxy.com> Fri Aug 13 08:11:00 2021 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Fri Aug 13 08:36:42 2021 +0200
tree 95d1a870c6e22f87b7b9f6ef4cf404acd1440e1b
parent 24e7f354e9ccf292eb4404e7e50b87b5b0a61ccd

BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage functions

In Channel and HTTPMessage classes, several functions uses an offset that
may be negative to start from the end of incoming data. But, after
calculation, the offset must never be negative. However, there is a bug
because of a bad cast to unsigned when "input + offset" is performed. The
result must be a signed integer.

This patch should fix most of defects reported in the issue #1347. It only
affects 2.5-dev. No backport needed.

src/hlua.c

diff --git a/src/hlua.c b/src/hlua.c
index be95a97..717380c 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -3120,7 +3120,7 @@
 	if (lua_gettop(L) > 1) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 2));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");
@@ -3183,7 +3183,7 @@
 	if (lua_gettop(L) > 1) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 2));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");
@@ -3519,9 +3519,8 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
-
 		if (offset < output || offset > output + input) {
 			lua_pushfstring(L, "offset out of range.");
 			WILL_LJMP(lua_error(L));
@@ -3579,7 +3578,7 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");
@@ -3653,7 +3652,7 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");
@@ -6478,7 +6477,7 @@
 	if (lua_gettop(L) > 1) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 2));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");
@@ -6596,9 +6595,8 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
-
 		if (offset < output || offset > output + input) {
 			lua_pushfstring(L, "offset out of range.");
 			WILL_LJMP(lua_error(L));
@@ -6639,9 +6637,8 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
-
 		if (offset < output || offset > output + input) {
 			lua_pushfstring(L, "offset out of range.");
 			WILL_LJMP(lua_error(L));
@@ -6701,7 +6698,7 @@
 	if (lua_gettop(L) > 2) {
 		offset = MAY_LJMP(luaL_checkinteger(L, 3));
 		if (offset < 0)
-			offset = MAX(0, input + offset);
+			offset = MAX(0, (int)input + offset);
 		offset += output;
 		if (offset < output || offset > input + output) {
 			lua_pushfstring(L, "offset out of range.");