LuaJIT
/
LuaJIT
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Limit exponent range in number parsing. 

Reported by XmiliaH.
master
Mike Pall 2022-01-13 17:48:43 +01:00
parent 103c29e634
commit e560487536
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/lj_strscan.c
View File

@ -63,6 +63,7 @@
#define STRSCAN_MAXDIG 800 /* 772 + extra are sufficient. */
#define STRSCAN_DDIG (STRSCAN_DIG/2)
#define STRSCAN_DMASK (STRSCAN_DDIG-1)
#define STRSCAN_MAXEXP (1 << 20)
/* Helpers for circular buffer. */
#define DNEXT(a) (((a)+1) & STRSCAN_DMASK)
@ -399,6 +400,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt)
if (dig) {
ex = (int32_t)(dp-(p-1)); dp = p-1;
while (ex < 0 && *dp-- == '0') ex++, dig--; /* Skip trailing zeros. */
if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR;
if (base == 16) ex *= 4;
}
}
@ -412,7 +414,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt)
if (!lj_char_isdigit(*p)) return STRSCAN_ERROR;
xx = (*p++ & 15);
while (lj_char_isdigit(*p)) {
if (xx < 65536) xx = xx * 10 + (*p & 15);
xx = xx * 10 + (*p & 15);
if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR;
p++;
}
ex += negx ? -(int32_t)xx : (int32_t)xx;