From e56048753634c32ea6eeedf74cef6f9cfea5f4ed Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Thu, 13 Jan 2022 17:48:43 +0100 Subject: Limit exponent range in number parsing. Reported by XmiliaH. --- src/lj_strscan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lj_strscan.c b/src/lj_strscan.c index d18fab8c..947d9746 100644 --- a/src/lj_strscan.c +++ b/src/lj_strscan.c @@ -63,6 +63,7 @@ #define STRSCAN_MAXDIG 800 /* 772 + extra are sufficient. */ #define STRSCAN_DDIG (STRSCAN_DIG/2) #define STRSCAN_DMASK (STRSCAN_DDIG-1) +#define STRSCAN_MAXEXP (1 << 20) /* Helpers for circular buffer. */ #define DNEXT(a) (((a)+1) & STRSCAN_DMASK) @@ -399,6 +400,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt) if (dig) { ex = (int32_t)(dp-(p-1)); dp = p-1; while (ex < 0 && *dp-- == '0') ex++, dig--; /* Skip trailing zeros. */ + if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR; if (base == 16) ex *= 4; } } @@ -412,7 +414,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt) if (!lj_char_isdigit(*p)) return STRSCAN_ERROR; xx = (*p++ & 15); while (lj_char_isdigit(*p)) { - if (xx < 65536) xx = xx * 10 + (*p & 15); + xx = xx * 10 + (*p & 15); + if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR; p++; } ex += negx ? -(int32_t)xx : (int32_t)xx; -- cgit v1.2.1