[njs] Fixed undefined behaviour in njs_number_to_integer().
Dmitry Volyntsev
xeioex at nginx.com
Mon May 24 10:52:20 UTC 2021
details: https://hg.nginx.org/njs/rev/87f91ff16931
branches:
changeset: 1638:87f91ff16931
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Mon May 24 10:51:47 2021 +0000
description:
Fixed undefined behaviour in njs_number_to_integer().
C11: 6.3.1.4
... If the value of the integral part cannot be represented by the
integer type, the behavior is undefined.
Found by OSS-Fuzz.
diffstat:
src/njs_number.h | 14 +++++++-------
src/test/njs_unit_test.c | 3 +++
2 files changed, 10 insertions(+), 7 deletions(-)
diffs (42 lines):
diff -r 7b70ee90ead8 -r 87f91ff16931 src/njs_number.h
--- a/src/njs_number.h Mon May 17 20:35:35 2021 +0300
+++ b/src/njs_number.h Mon May 24 10:51:47 2021 +0000
@@ -56,18 +56,18 @@ njs_key_is_integer_index(double num, con
njs_inline int64_t
njs_number_to_integer(double num)
{
- if (njs_slow_path(isinf(num))) {
- if (num < 0) {
+ if (njs_fast_path(!isnan(num))) {
+ if (num < INT64_MIN) {
return INT64_MIN;
+
+ } else if (num > INT64_MAX) {
+ return INT64_MAX;
}
- return INT64_MAX;
-
- } else if (njs_slow_path(isnan(num))) {
- return 0;
+ return num;
}
- return trunc(num) + 0.0;
+ return 0;
}
diff -r 7b70ee90ead8 -r 87f91ff16931 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Mon May 17 20:35:35 2021 +0300
+++ b/src/test/njs_unit_test.c Mon May 24 10:51:47 2021 +0000
@@ -8882,6 +8882,9 @@ static njs_unit_test_t njs_test[] =
{ njs_str("''.repeat(2147483648)"),
njs_str("") },
+ { njs_str("'aaaaaaaa'.repeat(2**64+1)"),
+ njs_str("RangeError") },
+
{ njs_str("''.repeat(Infinity)"),
njs_str("RangeError") },
More information about the nginx-devel
mailing list