Limit exponent range in number parsing.

Reported by XmiliaH. (cherry-picked from commit e560487) When parsing exponent powers greater than (1 << 16) * 10 == (65536 * 10), the exponent values are cut without handling any values greater. This patch fixes the behaviour, but restricts the power maximum value by `STRSCAN_MAXEXP` (1 << 20). Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9145
tarantool · Nov 21, 2023 · cf5d403 · cf5d403
1 parent fef60a1
commit cf5d403
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/src/lj_strscan.c b/src/lj_strscan.c
@@ -63,6 +63,7 @@
 #define STRSCAN_MAXDIG	800		/* 772 + extra are sufficient. */
 #define STRSCAN_DDIG	(STRSCAN_DIG/2)
 #define STRSCAN_DMASK	(STRSCAN_DDIG-1)
+#define STRSCAN_MAXEXP	(1 << 20)
 
 /* Helpers for circular buffer. */
 #define DNEXT(a)	(((a)+1) & STRSCAN_DMASK)
@@ -449,6 +450,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o,
       if (dig) {
 	ex = (int32_t)(dp-(p-1)); dp = p-1;
 	while (ex < 0 && *dp-- == '0') ex++, dig--;  /* Skip trailing zeros. */
+	if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR;
 	if (base == 16) ex *= 4;
       }
     }
@@ -462,7 +464,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o,
       if (!lj_char_isdigit(*p)) return STRSCAN_ERROR;
       xx = (*p++ & 15);
       while (lj_char_isdigit(*p)) {
-	if (xx < 65536) xx = xx * 10 + (*p & 15);
+	xx = xx * 10 + (*p & 15);
+	if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR;
 	p++;
       }
       ex += negx ? -(int32_t)xx : (int32_t)xx;

diff --git a/test/tarantool-tests/lj-788-limit-exponents-range.test.lua b/test/tarantool-tests/lj-788-limit-exponents-range.test.lua
@@ -0,0 +1,29 @@
+local tap = require('tap')
+
+-- Test file to demonstrate incorrect behaviour of exponent number
+-- form parsing.
+-- See also: https://github.com/LuaJIT/LuaJIT/issues/788.
+local test = tap.test('lj-788-limit-exponents-range')
+test:plan(2)
+
+-- Before the patch, the powers greater than (1 << 16) * 10
+-- (655360) were parsed incorrectly. After the patch, powers
+-- greater than 1 << 20 (1048576 `STRSCAN_MAXEXP`) are considered
+-- invalid. See <src/lj_strscan.c> for details.
+-- Choose the first value between these values and the second
+-- value bigger than `STRSCAN_MAXEXP` to check parsing correctness
+-- for the first one, and `STRSCAN_ERROR` for the second case.
+local PARSABLE_EXP_POWER  = 1000000
+local TOO_LARGE_EXP_POWER = 1050000
+
+local function form_exp_string(n)
+  return '0.' .. string.rep('0', n - 1) .. '1e' .. tostring(n)
+end
+
+test:is(tonumber(form_exp_string(PARSABLE_EXP_POWER)), 1,
+        'correct parsing of large exponent')
+
+test:is(tonumber(form_exp_string(TOO_LARGE_EXP_POWER)), nil,
+        'too big exponent power is not parsed')
+
+test:done(true)