From ffde7bc14ef1b17915f348793648adf412b518b6 Mon Sep 17 00:00:00 2001
From: miller-alex <32752650+miller-alex@users.noreply.github.com>
Date: Mon, 23 Dec 2019 17:35:45 +0100
Subject: [PATCH] Fix buffer overflow in process_option()

If no value is specified the option name is copied without checking the length.
Avoid the unnecessary copy and eliminate the fixed size buffer completely.
---
 src/host/premake.c | 37 +++++++++++++++----------------------
 1 file changed, 15 insertions(+), 22 deletions(-)

diff --git a/src/host/premake.c b/src/host/premake.c
index a8ad1140..0b1859c0 100644
--- a/src/host/premake.c
+++ b/src/host/premake.c
@@ -258,33 +258,26 @@ int process_arguments(lua_State* L, int argc, const char** argv)
  */
 int process_option(lua_State* L, const char* arg)
 {
-	char key[512];
-	const char* value;
-
 	/* If a value is specified, split the option into a key/value pair */
-	char* ptr = strchr(arg, '=');
-	if (ptr)
+	const char* value = strchr(arg, '=');
+	if (value)
 	{
-		int len = (int)(ptr - arg);
-		if (len > 511) len = 511;
-		strncpy(key, arg, len);
-		key[len] = '\0';
-		value = ptr + 1;
+		/* Store it in the Options table, which is already on the stack */
+		lua_pushlstring(L, arg, value - arg);
+		lua_pushstring(L, ++value);
+		lua_settable(L, -4);
+
+		/* The /scripts option gets picked up here to find the built-in scripts */
+		if (strncmp(arg, "scripts=", value - arg) == 0 && strlen(value) > 0)
+		{
+			scripts_path = value;
+		}
 	}
 	else
 	{
-		strcpy(key, arg);
-		value = "";
-	}
-
-	/* Store it in the Options table, which is already on the stack */
-	lua_pushstring(L, value);
-	lua_setfield(L, -3, key);
-
-	/* The /scripts option gets picked up here to find the built-in scripts */
-	if (strcmp(key, "scripts") == 0 && strlen(value) > 0)
-	{
-		scripts_path = value;
+		/* No value, store empty string in the Options table */
+		lua_pushliteral("");
+		lua_setfield(L, -3, arg);
 	}
 
 	return OKAY;