|
| 1 | +From 9138794bd0e51fe444f14803f891924798a651ac Mon Sep 17 00:00:00 2001 |
| 2 | +From: Vince Perri < [email protected]> |
| 3 | +Date: Mon, 15 Jul 2024 18:33:06 +0000 |
| 4 | +Subject: [PATCH] Prevent int underflow when parsing exponents |
| 5 | + |
| 6 | +From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001 |
| 7 | +From: Florin Malita < [email protected]> |
| 8 | +Date: Tue, 15 May 2018 22:48:07 -0400 |
| 9 | +Subject: [PATCH] Prevent int underflow when parsing exponents |
| 10 | + |
| 11 | +When parsing negative exponents, the current implementation takes |
| 12 | +precautions for |exp| to not underflow int. |
| 13 | + |
| 14 | +But that is not sufficient: later on [1], |exp + expFrac| is also |
| 15 | +stored to an int - so we must ensure that the sum stays within int |
| 16 | +representable values. |
| 17 | + |
| 18 | +Update the exp clamping logic to take expFrac into account. |
| 19 | + |
| 20 | +[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690 |
| 21 | +--- |
| 22 | + src/rapidjson/include/rapidjson/reader.h | 11 ++++++++++- |
| 23 | + src/rapidjson/test/unittest/readertest.cpp | 1 + |
| 24 | + 2 files changed, 11 insertions(+), 1 deletion(-) |
| 25 | + |
| 26 | +diff --git a/src/rapidjson/include/rapidjson/reader.h b/src/rapidjson/include/rapidjson/reader.h |
| 27 | +index 19f8849b1..a9f502307 100644 |
| 28 | +--- a/src/rapidjson/include/rapidjson/reader.h |
| 29 | ++++ b/src/rapidjson/include/rapidjson/reader.h |
| 30 | +@@ -1302,9 +1302,18 @@ private: |
| 31 | + if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { |
| 32 | + exp = static_cast<int>(s.Take() - '0'); |
| 33 | + if (expMinus) { |
| 34 | ++ // (exp + expFrac) must not underflow int => we're detecting when -exp gets |
| 35 | ++ // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into |
| 36 | ++ // underflow territory): |
| 37 | ++ // |
| 38 | ++ // -(exp * 10 + 9) + expFrac >= INT_MIN |
| 39 | ++ // <=> exp <= (expFrac - INT_MIN - 9) / 10 |
| 40 | ++ RAPIDJSON_ASSERT(expFrac <= 0); |
| 41 | ++ int maxExp = (expFrac + 2147483639) / 10; |
| 42 | ++ |
| 43 | + while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { |
| 44 | + exp = exp * 10 + static_cast<int>(s.Take() - '0'); |
| 45 | +- if (exp >= 214748364) { // Issue #313: prevent overflow exponent |
| 46 | ++ if (RAPIDJSON_UNLIKELY(exp > maxExp)) { |
| 47 | + while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent |
| 48 | + s.Take(); |
| 49 | + } |
| 50 | +diff --git a/src/rapidjson/test/unittest/readertest.cpp b/src/rapidjson/test/unittest/readertest.cpp |
| 51 | +index 64a1f9c3c..65163de60 100644 |
| 52 | +--- a/src/rapidjson/test/unittest/readertest.cpp |
| 53 | ++++ b/src/rapidjson/test/unittest/readertest.cpp |
| 54 | +@@ -242,6 +242,7 @@ static void TestParseDouble() { |
| 55 | + TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent |
| 56 | + TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0); |
| 57 | + TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0); |
| 58 | ++ TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0); |
| 59 | + TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form |
| 60 | + |
| 61 | + // Since |
| 62 | +-- |
| 63 | +2.34.1 |
| 64 | + |
0 commit comments