[njs] Fixed integer-overflow while parsing exponent of number literals.

Dmitry Volyntsev xeioex at nginx.com
Wed Aug 28 16:10:24 UTC 2019 

details:   https://hg.nginx.org/njs/rev/949a244b6b2c
branches:  
changeset: 1145:949a244b6b2c
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Tue Aug 27 18:58:43 2019 +0300
description:
Fixed integer-overflow while parsing exponent of number literals.

diffstat:

 src/njs_strtod.c         |  13 ++++++++-----
 src/njs_unix.h           |   1 +
 src/test/njs_unit_test.c |  15 +++++++++++++++
 3 files changed, 24 insertions(+), 5 deletions(-)

diffs (80 lines):

diff -r 4fd921f02096 -r 949a244b6b2c src/njs_strtod.c
--- a/src/njs_strtod.c	Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_strtod.c	Tue Aug 27 18:58:43 2019 +0300
@@ -251,6 +251,7 @@ njs_diyfp_strtod(const u_char *start, si
 static double
 njs_strtod_internal(const u_char *start, size_t length, int exp)
 {
+    int           shift;
     size_t        left, right;
     const u_char  *p, *e, *b;
 
@@ -291,17 +292,17 @@ njs_strtod_internal(const u_char *start,
         return 0.0;
     }
 
-    exp += (int) (left - right);
+    shift = (int) (left - right);
 
-    if (exp + (int) length - 1 >= NJS_DECIMAL_POWER_MAX) {
+    if (exp >= NJS_DECIMAL_POWER_MAX - shift - (int) length + 1) {
         return INFINITY;
     }
 
-    if (exp + (int) length <= NJS_DECIMAL_POWER_MIN) {
+    if (exp <= NJS_DECIMAL_POWER_MIN - shift - (int) length) {
         return 0.0;
     }
 
-    return njs_diyfp_strtod(start, length, exp);
+    return njs_diyfp_strtod(start, length, exp + shift);
 }
 
 
@@ -386,7 +387,9 @@ njs_strtod(const u_char **start, const u
                     break;
                 }
 
-                exp = exp * 10 + c;
+                if (exp < (INT_MAX - 9) / 10) {
+                    exp = exp * 10 + c;
+                }
             }
 
             exponent += minus ? -exp : exp;
diff -r 4fd921f02096 -r 949a244b6b2c src/njs_unix.h
--- a/src/njs_unix.h	Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_unix.h	Tue Aug 27 18:58:43 2019 +0300
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <math.h>
 #include <float.h>
+#include <limits.h>
 #include <time.h>
 #include <fcntl.h>
 
diff -r 4fd921f02096 -r 949a244b6b2c src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Tue Aug 27 16:31:00 2019 +0300
+++ b/src/test/njs_unit_test.c	Tue Aug 27 18:58:43 2019 +0300
@@ -12366,6 +12366,21 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("parseFloat('12345abc')"),
       njs_str("12345") },
 
+    { njs_str("parseFloat('1e2147483647')"),
+      njs_str("Infinity") },
+
+    { njs_str("parseFloat('1e-2147483647')"),
+      njs_str("0") },
+
+    { njs_str("parseFloat('1e-2147483648')"),
+      njs_str("0") },
+
+    { njs_str("parseFloat('1e' + '5'.repeat(16))"),
+      njs_str("Infinity") },
+
+    { njs_str("parseFloat('1e-' + '5'.repeat(16))"),
+      njs_str("0") },
+
     { njs_str("parseFloat('0x')"),
       njs_str("0") },

More information about the nginx-devel mailing list