[njs] Fixed integer-overflow while parsing exponent of number literals.
Dmitry Volyntsev
xeioex at nginx.com
Wed Aug 28 16:10:24 UTC 2019
details: https://hg.nginx.org/njs/rev/949a244b6b2c
branches:
changeset: 1145:949a244b6b2c
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Tue Aug 27 18:58:43 2019 +0300
description:
Fixed integer-overflow while parsing exponent of number literals.
diffstat:
src/njs_strtod.c | 13 ++++++++-----
src/njs_unix.h | 1 +
src/test/njs_unit_test.c | 15 +++++++++++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diffs (80 lines):
diff -r 4fd921f02096 -r 949a244b6b2c src/njs_strtod.c
--- a/src/njs_strtod.c Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_strtod.c Tue Aug 27 18:58:43 2019 +0300
@@ -251,6 +251,7 @@ njs_diyfp_strtod(const u_char *start, si
static double
njs_strtod_internal(const u_char *start, size_t length, int exp)
{
+ int shift;
size_t left, right;
const u_char *p, *e, *b;
@@ -291,17 +292,17 @@ njs_strtod_internal(const u_char *start,
return 0.0;
}
- exp += (int) (left - right);
+ shift = (int) (left - right);
- if (exp + (int) length - 1 >= NJS_DECIMAL_POWER_MAX) {
+ if (exp >= NJS_DECIMAL_POWER_MAX - shift - (int) length + 1) {
return INFINITY;
}
- if (exp + (int) length <= NJS_DECIMAL_POWER_MIN) {
+ if (exp <= NJS_DECIMAL_POWER_MIN - shift - (int) length) {
return 0.0;
}
- return njs_diyfp_strtod(start, length, exp);
+ return njs_diyfp_strtod(start, length, exp + shift);
}
@@ -386,7 +387,9 @@ njs_strtod(const u_char **start, const u
break;
}
- exp = exp * 10 + c;
+ if (exp < (INT_MAX - 9) / 10) {
+ exp = exp * 10 + c;
+ }
}
exponent += minus ? -exp : exp;
diff -r 4fd921f02096 -r 949a244b6b2c src/njs_unix.h
--- a/src/njs_unix.h Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_unix.h Tue Aug 27 18:58:43 2019 +0300
@@ -29,6 +29,7 @@
#include <string.h>
#include <math.h>
#include <float.h>
+#include <limits.h>
#include <time.h>
#include <fcntl.h>
diff -r 4fd921f02096 -r 949a244b6b2c src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Aug 27 16:31:00 2019 +0300
+++ b/src/test/njs_unit_test.c Tue Aug 27 18:58:43 2019 +0300
@@ -12366,6 +12366,21 @@ static njs_unit_test_t njs_test[] =
{ njs_str("parseFloat('12345abc')"),
njs_str("12345") },
+ { njs_str("parseFloat('1e2147483647')"),
+ njs_str("Infinity") },
+
+ { njs_str("parseFloat('1e-2147483647')"),
+ njs_str("0") },
+
+ { njs_str("parseFloat('1e-2147483648')"),
+ njs_str("0") },
+
+ { njs_str("parseFloat('1e' + '5'.repeat(16))"),
+ njs_str("Infinity") },
+
+ { njs_str("parseFloat('1e-' + '5'.repeat(16))"),
+ njs_str("0") },
+
{ njs_str("parseFloat('0x')"),
njs_str("0") },
More information about the nginx-devel
mailing list