Fix buffer overflow in os.tmpname (#1180)

mrdomino · web-flow · commit 65c9b28e99e8 · 2024-05-20T03:46:27.000-04:00
At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp that takes up to 120 or so bytes to spell. Instead of overflowing, we do a bounds check and the function fails successfully on even longer /tmps. Fixes #1108 (os.tmpname crashes redbean)
diff --git a/third_party/lua/README.cosmo b/third_party/lua/README.cosmo
@@ -36,3 +36,5 @@ LOCAL MODIFICATIONS
   Added Python-like printf modulus operator for strings.
 
   Added Python-like printf multiply operator for strings.
+
+  Fixed a buffer overflow in os.tmpname
diff --git a/third_party/lua/loslib.c b/third_party/lua/loslib.c
@@ -133,12 +133,12 @@ __static_yoink("lua_notice");
 
 #if defined(LUA_USE_POSIX)	/* { */
 
-#define LUA_TMPNAMBUFSIZE	32
+#define LUA_TMPNAMBUFSIZE	128
 
 #define lua_tmpnam(b,e) { \
-        strcpy(b, __get_tmpdir()); \
-        strcat(b, "lua_XXXXXX"); \
-        e = mkstemp(b); \
+        strlcpy(b, __get_tmpdir(), LUA_TMPNAMBUFSIZE); \
+        e = strlcat(b, "lua_XXXXXX", LUA_TMPNAMBUFSIZE) >= LUA_TMPNAMBUFSIZE; \
+        e = e ? -1 : mkstemp(b); \
         if (e != -1) close(e); \
         e = (e == -1); }
 
