Dmitry Volyntsev
May 24, 2021 06:54AM
details: https://hg.nginx.org/njs/rev/87f91ff16931
branches:
changeset: 1638:87f91ff16931
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon May 24 10:51:47 2021 +0000
description:
Fixed undefined behaviour in njs_number_to_integer().

C11: 6.3.1.4
.... If the value of the integral part cannot be represented by the
integer type, the behavior is undefined.

Found by OSS-Fuzz.

diffstat:

src/njs_number.h | 14 +++++++-------
src/test/njs_unit_test.c | 3 +++
2 files changed, 10 insertions(+), 7 deletions(-)

diffs (42 lines):

diff -r 7b70ee90ead8 -r 87f91ff16931 src/njs_number.h
--- a/src/njs_number.h Mon May 17 20:35:35 2021 +0300
+++ b/src/njs_number.h Mon May 24 10:51:47 2021 +0000
@@ -56,18 +56,18 @@ njs_key_is_integer_index(double num, con
njs_inline int64_t
njs_number_to_integer(double num)
{
- if (njs_slow_path(isinf(num))) {
- if (num < 0) {
+ if (njs_fast_path(!isnan(num))) {
+ if (num < INT64_MIN) {
return INT64_MIN;
+
+ } else if (num > INT64_MAX) {
+ return INT64_MAX;
}

- return INT64_MAX;
-
- } else if (njs_slow_path(isnan(num))) {
- return 0;
+ return num;
}

- return trunc(num) + 0.0;
+ return 0;
}


diff -r 7b70ee90ead8 -r 87f91ff16931 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Mon May 17 20:35:35 2021 +0300
+++ b/src/test/njs_unit_test.c Mon May 24 10:51:47 2021 +0000
@@ -8882,6 +8882,9 @@ static njs_unit_test_t njs_test[] =
{ njs_str("''.repeat(2147483648)"),
njs_str("") },

+ { njs_str("'aaaaaaaa'.repeat(2**64+1)"),
+ njs_str("RangeError") },
+
{ njs_str("''.repeat(Infinity)"),
njs_str("RangeError") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed undefined behaviour in njs_number_to_integer().

Dmitry Volyntsev 121 May 24, 2021 06:54AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready