From 7dd538b82cfa0ac8a7746c9527eddade42c30fd5 Mon Sep 17 00:00:00 2001
From: LBPHacker <lbphacker@gmail.com>
Date: Wed, 12 Jul 2017 21:30:41 +0200
Subject: [PATCH] Fix tpt.parts being unsafe

`tpt.parts` does check whether the particle ID it gets is valid, but it doesn't check whether that particle ID is used. One could potentially modify the life property of dead particles to break the linked list of free particle IDs, thus potentially gaining the ability to read from or write to arbitrary addresses in memory.
---
 src/lua/LegacyLuaAPI.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lua/LegacyLuaAPI.cpp b/src/lua/LegacyLuaAPI.cpp
index e8b31123e..ced95074d 100644
--- a/src/lua/LegacyLuaAPI.cpp
+++ b/src/lua/LegacyLuaAPI.cpp
@@ -32,6 +32,8 @@ int luacon_partread(lua_State* l)
 
 	if (i < 0 || i >= NPART)
 		return luaL_error(l, "Out of range");
+	if (!luacon_sim->parts[i].type)
+		return luaL_error(l, "dead particle");
 	if (offset == -1)
 	{
 		if (!key.compare("id"))
@@ -68,6 +70,8 @@ int luacon_partwrite(lua_State* l)
 
 	if (i < 0 || i >= NPART)
 		return luaL_error(l, "Out of range");
+	if (!luacon_sim->parts[i].type)
+		return luaL_error(l, "dead particle");
 	if (offset == -1)
 		return luaL_error(l, "Invalid property");
 
@@ -95,6 +99,11 @@ int luacon_partsread(lua_State* l)
 	{
 		return luaL_error(l, "array index out of bounds");
 	}
+	
+	if (!luacon_sim->parts[i].type)
+	{
+		return luaL_error(l, "dead particle");
+	}
 
 	lua_rawgeti(l, LUA_REGISTRYINDEX, tptPart);
 	cIndex = i;