From 9091cfa617a4f593785b6093548dff70a07b1e0f Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 22 May 2026 16:11:52 +0200
Subject: [PATCH] BUG/MEDIUM: hlua: Fix integer underflow when receiving line
 from lua cosocket

In hlua_socket_receive_yield(), when we try to get a line, the trailing CRLF is
stripped by decrementing the block length. The '\n' is first skipped, then,
possible a preceeding '\r'. But the block lenght is never checked. If an empty
line is returned, this leads to an integer underflow and most probably to a
crash because this length is used to copy data into a LUA string.

To fix the issue, the block length is now properly tested against 0 before
decrementing it.

This patch must be backported to all stable versions.
---
 src/hlua.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/hlua.c b/src/hlua.c
index cde144ab2..b87b587e4 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2949,20 +2949,20 @@ __LJMP static int hlua_socket_receive_yield(struct lua_State *L, int status, lua
 
 		/* remove final \r\n. */
 		if (nblk == 1) {
-			if (blk1[len1-1] == '\n') {
+			if (len1 && blk1[len1-1] == '\n') {
 				len1--;
 				skip_at_end++;
-				if (blk1[len1-1] == '\r') {
+				if (len1 && blk1[len1-1] == '\r') {
 					len1--;
 					skip_at_end++;
 				}
 			}
 		}
 		else {
-			if (blk2[len2-1] == '\n') {
+			if (len2 && blk2[len2-1] == '\n') {
 				len2--;
 				skip_at_end++;
-				if (blk2[len2-1] == '\r') {
+				if (len2 && blk2[len2-1] == '\r') {
 					len2--;
 					skip_at_end++;
 				}