assorted bug fixes and many memory corruption fixes

fix: fix pop(-1) stack corruption

fix: fix many memory leaks and potential out-of-memory crashes

remove schema, never been used

fix: uninitialized memory access in parse_sockaddr

fix: uv_interface_addresses can fail

fix: interface indexes are already 1-based

fix: prevent malloc(-1)

fix: sparse_rawlen assumed the table was at index -2

fix: prevent infinite sleep

nit: add missing copyright headers

Author: truemedian

docs/docs.lua

@@ -4529,21 +4529,19 @@ local doc = {
 
             See [Constants][] for supported address `family` output values.
           ]],
-          returns = {
-            {
-              dict(
-                'string',
-                table({
-                  { 'ip', 'string' },
-                  { 'family', 'string' },
-                  { 'netmask', 'string' },
-                  { 'internal', 'boolean' },
-                  { 'mac', 'string' },
-                })
-              ),
-              'addresses',
-            },
-          },
+          returns = ret_or_fail(
+            dict(
+              'string',
+              table({
+                { 'ip', 'string' },
+                { 'family', 'string' },
+                { 'netmask', 'string' },
+                { 'internal', 'boolean' },
+                { 'mac', 'string' },
+              })
+            ),
+            'addresses'
+          ),
         },
         {
           name = 'if_indextoname',

docs/docs.md

@@ -44,6 +44,11 @@ static int luv_new_async(lua_State* L) {
   }
   data = luv_setup_handle(L, ctx);
   data->extra = (luv_thread_arg_t*)malloc(sizeof(luv_thread_arg_t));
+  if (!data->extra) {
+    handle->data = data;
+    uv_close((uv_handle_t*)handle, luv_handle_free);
+    return luaL_error(L, "Failed to allocate async args");
+  }
   data->extra_gc = free;
   memset(data->extra, 0, sizeof(luv_thread_arg_t));
   handle->data = data;

docs/meta.lua

@@ -543,6 +543,8 @@ static int luv_fs_read(lua_State* L) {
     offset = luaL_optinteger(L, 3, offset);
     ref = luv_check_continuation(L, 4);
   }
+  if (len < 0)
+    return luaL_error(L, "Length must be non-negative");
   data = (char*)malloc(len);
   if (!data) {
     luaL_unref(L, LUA_REGISTRYINDEX, ref);

src/async.c

@@ -18,9 +18,12 @@
 
 static void* luv_newuserdata(lua_State* L, size_t sz) {
   void* handle = malloc(sz);
-  if (handle) {
-    *(void**)lua_newuserdata(L, sizeof(void*)) = handle;
+  if (!handle) {
+    luaL_error(L, "out of memory");
+    return NULL; // unreachable
   }
+
+  *(void**)lua_newuserdata(L, sizeof(void*)) = handle;
   return handle;
 }
 

src/fs.c

@@ -50,4 +50,6 @@ typedef struct {
   luv_handle_extra_gc extra_gc;
 } luv_handle_t;
 
+static void luv_handle_free(uv_handle_t* handle);
+
 #endif

src/handle.c

@@ -93,7 +93,7 @@ typedef int (*luv_CFcpcall) (lua_State* L, lua_CFunction func, void* ud, int fla
 /* Default implementation of event callback */
 LUALIB_API int luv_cfpcall(lua_State* L, int nargs, int nresult, int flags);
 
-/* Default implementation of thread entory function */
+/* Default implementation of thread entry function */
 LUALIB_API int luv_cfcpcall(lua_State* L, lua_CFunction func, void* ud, int flags);
 
 typedef struct {

src/lhandle.h

@@ -65,12 +65,26 @@ static uv_buf_t* luv_prep_bufs(lua_State* L, int index, size_t *count, int **ref
   }
   *count = cnt;
   bufs = (uv_buf_t*)malloc(sizeof(uv_buf_t) * *count);
+  if (!bufs) luaL_error(L, "Failed to allocate buffer array");
   int *refs_array = NULL;
-  if (refs)
+  if (refs) {
     refs_array = (int*)malloc(sizeof(int) * (*count + 1));
+    if (!refs_array) {
+      free(bufs);
+      luaL_error(L, "Failed to allocate refs array");
+    }
+  }
   for (i = 0; i < *count; ++i) {
     lua_rawgeti(L, index, i + 1);
     if (!lua_isstring(L, -1)) {
+      /* free already-accumulated refs and heap allocations before throwing */
+      if (refs_array) {
+        size_t j;
+        for (j = 0; j < i; ++j)
+          luaL_unref(L, LUA_REGISTRYINDEX, refs_array[j]);
+        free(refs_array);
+      }
+      free(bufs);
       luaL_argerror(L, index, lua_pushfstring(L, "expected table of strings, found %s in the table", luaL_typename(L, -1)));
       return NULL;
     }
@@ -105,6 +119,7 @@ static uv_buf_t* luv_check_bufs(lua_State* L, int index, size_t* count, luv_req_
   else if (lua_isstring(L, index)) {
     *count = 1;
     bufs = (uv_buf_t*)malloc(sizeof(uv_buf_t));
+    if (!bufs) luaL_error(L, "Failed to allocate buffer");
     luv_prep_buf(L, index, bufs);
     lua_pushvalue(L, index);
     req_data->data_ref = luaL_ref(L, LUA_REGISTRYINDEX);
@@ -125,6 +140,7 @@ static uv_buf_t* luv_check_bufs_noref(lua_State* L, int index, size_t* count) {
   else if (lua_isstring(L, index)) {
     *count = 1;
     bufs = (uv_buf_t*)malloc(sizeof(uv_buf_t));
+    if (!bufs) luaL_error(L, "Failed to allocate buffer");
     luv_prep_buf(L, index, bufs);
   }
   else {
@@ -290,7 +306,8 @@ static int luv_interface_addresses(lua_State* L) {
   char ip[INET6_ADDRSTRLEN];
   char netmask[INET6_ADDRSTRLEN];
 
-  uv_interface_addresses(&interfaces, &count);
+  int ret = uv_interface_addresses(&interfaces, &count);
+  if (ret < 0) return luv_error(L, ret);
 
   lua_newtable(L);
 
@@ -494,7 +511,14 @@ static int luv_os_getenv(lua_State* L) {
   const char* name = luaL_checkstring(L, 1);
   size_t size = luaL_optinteger(L, 2, LUAL_BUFFERSIZE);
   char *buff = malloc(size);
+  if (!buff) return luaL_error(L, "Failed to allocate env buffer");
   int ret = uv_os_getenv(name, buff, &size);
+  if (ret == UV_ENOBUFS) {
+    /* size has been updated with the required length; reallocate and retry */
+    buff = realloc(buff, size);
+    if (!buff) return luaL_error(L, "Failed to allocate env buffer");
+    ret = uv_os_getenv(name, buff, &size);
+  }
   if (ret == 0) {
     lua_pushlstring(L, buff, size);
     ret = 1;
@@ -550,7 +574,7 @@ static int luv_if_indextoname(lua_State* L) {
   size_t scoped_addr_len = sizeof(scoped_addr);
   unsigned int ifindex = (unsigned int)luaL_checkinteger(L, 1);
 
-  int ret = uv_if_indextoname(ifindex - 1, scoped_addr, &scoped_addr_len);
+  int ret = uv_if_indextoname(ifindex, scoped_addr, &scoped_addr_len);
   if (ret == 0) {
     lua_pushlstring(L, scoped_addr, scoped_addr_len);
     ret = 1;
@@ -565,7 +589,7 @@ static int luv_if_indextoiid(lua_State* L) {
   size_t interface_id_len = sizeof(interface_id);
   unsigned int ifindex = (unsigned int)luaL_checkinteger(L, 1);
 
-  int ret = uv_if_indextoiid(ifindex - 1, interface_id, &interface_id_len);
+  int ret = uv_if_indextoiid(ifindex, interface_id, &interface_id_len);
   if (ret == 0) {
     lua_pushlstring(L, interface_id, interface_id_len);
     ret = 1;
@@ -683,14 +707,17 @@ static int luv_os_environ(lua_State* L) {
 #endif
 
 static int luv_sleep(lua_State* L) {
-  unsigned int msec = luaL_checkinteger(L, 1);
+  int msec = luaL_checkinteger(L, 1);
+  if (msec < 0)
+    msec = 0;
+
 #if LUV_UV_VERSION_GEQ(1, 34, 0)
-  uv_sleep(msec);
+  uv_sleep((unsigned int)msec);
 #else
 #ifdef _WIN32
-  Sleep(msec);
+  Sleep((unsigned int)msec);
 #else
-  usleep(msec * 1000);
+  usleep((unsigned int)msec * 1000);
 #endif
 #endif
   return 0;
@@ -824,7 +851,7 @@ static int luv_utf16_to_wtf8(lua_State *L) {
   sz = uv_utf16_length_as_wtf8(utf16, utf16_len);
   /* The wtf8_ptr must contain an extra space for an extra NUL after the result */
   wtf8 = malloc(sz + 1);
-  if (wtf8 == NULL) return luaL_error(L, "failed to allocate %zu bytes", sz + 1);
+  if (wtf8 == NULL) return luaL_error(L, "out of memory");
   /* Note: On success, *sz will not be modified */
   ret = uv_utf16_to_wtf8(utf16, utf16_len, &wtf8, &sz);
   if (ret == 0) {
@@ -852,7 +879,7 @@ static int luv_wtf8_to_utf16(lua_State *L) {
   const char* wtf8 = luaL_checklstring(L, 1, &sz);
   ssize_t ssz = uv_wtf8_length_as_utf16(wtf8);
   utf16 = malloc(ssz * 2);
-  if (utf16 == NULL) return luaL_error(L, "failed to allocate %zu bytes", ssz * 2);
+  if (utf16 == NULL) return luaL_error(L, "out of memory");
   uv_wtf8_to_utf16(wtf8, utf16, ssz);
   /* The returned string includes a NUL terminator, but we use Lua style string */
   lua_pushlstring(L, (const char*)utf16, (ssz-1) * 2);

src/luv.h

@@ -1,3 +1,19 @@
+/*
+ *  Copyright 2014 The Luvit Authors. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
 #ifndef LUV_PRIVATE_H
 #define LUV_PRIVATE_H