Lua error reporting buffer overflow

nhl_error() was clobbering the stack.  I assume that the 'source'
field in the Lua debugging structure is normally a file name, but
nethack loads an entire Lua script into one long string because it
usually comes out of the DLB container, and 'source' contained the
full string.  That would overflow the local buffer in nhl_error()
if nethack encountered a Lua problem and tried to report it. (In
my case, the problem was in a level description file modification.)

[Not something under user control unless user can modify dat/*.lua
and put the result into $HACKDIR/nhdat.]

diff --git a/doc/fixes37.0 b/doc/fixes37.0
index cdbe956cde8a7ffe13c4ca5f7f7a20ef1e29b9da..539ce7f9abfb25033a2c66853a2e0814f0405130 100644 (file)
--- a/doc/fixes37.0
+++ b/doc/fixes37.0
@@ -1,4 +1,4 @@
-$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.71 $ $NHDT-Date: 1579655025 2020/01/22 01:03:45 $
+$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.72 $ $NHDT-Date: 1579899144 2020/01/24 20:52:24 $
 
 General Fixes and Modified Features
 -----------------------------------
@@ -74,6 +74,7 @@ if running and Blind or Stunned or Fumbling or Dex < 10, encountering a closed
 data.base lookup of an entry with any blank lines would falsely claim that
        "'data' file in wrong fromat or corrupted" after some extra checks
        were added while investigating tab handling anomalies
+using nhl_error() to report a Lua processing problem would clobber the stack
 
 
 Platform- and/or Interface-Specific Fixes

diff --git a/src/nhlua.c b/src/nhlua.c
index f215ea01c71903a8f347d474700d9f34664e9df4..170e3c3ed8f4ba7efbfe6fd96b86e49328b0eeaf 100644 (file)
--- a/src/nhlua.c
+++ b/src/nhlua.c
@@ -1,4 +1,4 @@
-/* NetHack 3.7 nhlua.c $NHDT-Date: 1575246766 2019/12/02 00:32:46 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.16 $ */
+/* NetHack 3.7 nhlua.c $NHDT-Date: 1579899144 2020/01/24 20:52:24 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.28 $ */
 /*      Copyright (c) 2018 by Pasi Kallinen */
 /* NetHack may be freely redistributed.  See license for details. */
 
@@ -44,8 +44,16 @@ const char *msg;
 
     lua_getstack(L, 1, &ar);
     lua_getinfo(L, "lS", &ar);
-    Sprintf(buf, "%s (line %i%s)", msg, ar.currentline, ar.source);
+    Sprintf(buf, "%s (line %d ", msg, ar.currentline);
+    Sprintf(eos(buf), "%.*s)",
+            /* (max length of ar.short_src is actually LUA_IDSIZE
+               so this is overkill for it, but crucial for ar.source) */
+            (int) (sizeof buf - (strlen(buf) + sizeof ")")),
+            ar.short_src); /* (used to be 'ar.source' here) */
     lua_pushstring(L, buf);
+#if 0 /* defined(PANICTRACE) && !defined(NO_SIGNALS) */
+    panictrace_setsignals(FALSE);
+#endif
     (void) lua_error(L);
     /*NOTREACHED*/
 }