diff options
| author | Mike Pall <mike> | 2022-01-13 17:48:43 +0100 |
|---|---|---|
| committer | Mike Pall <mike> | 2022-01-13 17:48:43 +0100 |
| commit | e56048753634c32ea6eeedf74cef6f9cfea5f4ed (patch) | |
| tree | 4f2edb808d55b3a2673a9bbc8149c40df492444f | |
| parent | 103c29e634d822e0affd7d3ae16a7d8a80c038d3 (diff) | |
| download | luajit2-e56048753634c32ea6eeedf74cef6f9cfea5f4ed.tar.gz | |
Limit exponent range in number parsing.
Reported by XmiliaH.
| -rw-r--r-- | src/lj_strscan.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lj_strscan.c b/src/lj_strscan.c index d18fab8c..947d9746 100644 --- a/src/lj_strscan.c +++ b/src/lj_strscan.c @@ -63,6 +63,7 @@ #define STRSCAN_MAXDIG 800 /* 772 + extra are sufficient. */ #define STRSCAN_DDIG (STRSCAN_DIG/2) #define STRSCAN_DMASK (STRSCAN_DDIG-1) +#define STRSCAN_MAXEXP (1 << 20) /* Helpers for circular buffer. */ #define DNEXT(a) (((a)+1) & STRSCAN_DMASK) @@ -399,6 +400,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt) if (dig) { ex = (int32_t)(dp-(p-1)); dp = p-1; while (ex < 0 && *dp-- == '0') ex++, dig--; /* Skip trailing zeros. */ + if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR; if (base == 16) ex *= 4; } } @@ -412,7 +414,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt) if (!lj_char_isdigit(*p)) return STRSCAN_ERROR; xx = (*p++ & 15); while (lj_char_isdigit(*p)) { - if (xx < 65536) xx = xx * 10 + (*p & 15); + xx = xx * 10 + (*p & 15); + if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR; p++; } ex += negx ? -(int32_t)xx : (int32_t)xx; |