Welcome! Log In Create A New Profile

Advanced

[njs] Fixed integer-overflow while parsing exponent of number literals.

Dmitry Volyntsev
August 28, 2019 12:12PM
details: https://hg.nginx.org/njs/rev/949a244b6b2c
branches:
changeset: 1145:949a244b6b2c
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Tue Aug 27 18:58:43 2019 +0300
description:
Fixed integer-overflow while parsing exponent of number literals.

diffstat:

src/njs_strtod.c | 13 ++++++++-----
src/njs_unix.h | 1 +
src/test/njs_unit_test.c | 15 +++++++++++++++
3 files changed, 24 insertions(+), 5 deletions(-)

diffs (80 lines):

diff -r 4fd921f02096 -r 949a244b6b2c src/njs_strtod.c
--- a/src/njs_strtod.c Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_strtod.c Tue Aug 27 18:58:43 2019 +0300
@@ -251,6 +251,7 @@ njs_diyfp_strtod(const u_char *start, si
static double
njs_strtod_internal(const u_char *start, size_t length, int exp)
{
+ int shift;
size_t left, right;
const u_char *p, *e, *b;

@@ -291,17 +292,17 @@ njs_strtod_internal(const u_char *start,
return 0.0;
}

- exp += (int) (left - right);
+ shift = (int) (left - right);

- if (exp + (int) length - 1 >= NJS_DECIMAL_POWER_MAX) {
+ if (exp >= NJS_DECIMAL_POWER_MAX - shift - (int) length + 1) {
return INFINITY;
}

- if (exp + (int) length <= NJS_DECIMAL_POWER_MIN) {
+ if (exp <= NJS_DECIMAL_POWER_MIN - shift - (int) length) {
return 0.0;
}

- return njs_diyfp_strtod(start, length, exp);
+ return njs_diyfp_strtod(start, length, exp + shift);
}


@@ -386,7 +387,9 @@ njs_strtod(const u_char **start, const u
break;
}

- exp = exp * 10 + c;
+ if (exp < (INT_MAX - 9) / 10) {
+ exp = exp * 10 + c;
+ }
}

exponent += minus ? -exp : exp;
diff -r 4fd921f02096 -r 949a244b6b2c src/njs_unix.h
--- a/src/njs_unix.h Tue Aug 27 16:31:00 2019 +0300
+++ b/src/njs_unix.h Tue Aug 27 18:58:43 2019 +0300
@@ -29,6 +29,7 @@
#include <string.h>
#include <math.h>
#include <float.h>
+#include <limits.h>
#include <time.h>
#include <fcntl.h>

diff -r 4fd921f02096 -r 949a244b6b2c src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Tue Aug 27 16:31:00 2019 +0300
+++ b/src/test/njs_unit_test.c Tue Aug 27 18:58:43 2019 +0300
@@ -12366,6 +12366,21 @@ static njs_unit_test_t njs_test[] =
{ njs_str("parseFloat('12345abc')"),
njs_str("12345") },

+ { njs_str("parseFloat('1e2147483647')"),
+ njs_str("Infinity") },
+
+ { njs_str("parseFloat('1e-2147483647')"),
+ njs_str("0") },
+
+ { njs_str("parseFloat('1e-2147483648')"),
+ njs_str("0") },
+
+ { njs_str("parseFloat('1e' + '5'.repeat(16))"),
+ njs_str("Infinity") },
+
+ { njs_str("parseFloat('1e-' + '5'.repeat(16))"),
+ njs_str("0") },
+
{ njs_str("parseFloat('0x')"),
njs_str("0") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed integer-overflow while parsing exponent of number literals.

Dmitry Volyntsev 60 August 28, 2019 12:12PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 80
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready