[Tarantool-patches] [PATCH luajit] Limit exponent range in number parsing.

Wed Nov 22 02:14:00 MSK 2023

Hi, Sergey!
Thanks for the patch!
LGTM

--
Best regards,
Maxim Kokryashkin

>Вторник, 21 ноября 2023, 11:57 +03:00 от Sergey Kaplun <skaplun at tarantool.org>:
> 
>From: Mike Pall <mike>
>
>Reported by XmiliaH.
>
>(cherry-picked from commit e56048753634c32ea6eeedf74cef6f9cfea5f4ed)
>
>When parsing exponent powers greater than (1 << 16) * 10 == (65536 *
>10), the exponent values are cut without handling any values greater.
>This patch fixes the behaviour, but restricts the power maximum value by
>`STRSCAN_MAXEXP` (1 << 20).
>
>Sergey Kaplun:
>* added the description and the test for the problem
>
>Part of tarantool/tarantool#9145
>---
>
>Branch:
>https://github.com/tarantool/luajit/tree/skaplun/lj-788-limit-exponents-range
>Tarantool PR:  https://github.com/tarantool/tarantool/pull/9386
>Related issues:
>*  https://github.com/LuaJIT/LuaJIT/issues/788
>*  https://github.com/tarantool/tarantool/issues/9145
>
>
> src/lj_strscan.c | 5 +++-
> .../lj-788-limit-exponents-range.test.lua | 29 +++++++++++++++++++
> 2 files changed, 33 insertions(+), 1 deletion(-)
> create mode 100644 test/tarantool-tests/lj-788-limit-exponents-range.test.lua
>
>diff --git a/src/lj_strscan.c b/src/lj_strscan.c
>index ae8945e1..129010fd 100644
>--- a/src/lj_strscan.c
>+++ b/src/lj_strscan.c
>@@ -63,6 +63,7 @@
> #define STRSCAN_MAXDIG 800 /* 772 + extra are sufficient. */
> #define STRSCAN_DDIG (STRSCAN_DIG/2)
> #define STRSCAN_DMASK (STRSCAN_DDIG-1)
>+#define STRSCAN_MAXEXP (1 << 20)
> 
> /* Helpers for circular buffer. */
> #define DNEXT(a) (((a)+1) & STRSCAN_DMASK)
>@@ -449,6 +450,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o,
>       if (dig) {
>  ex = (int32_t)(dp-(p-1)); dp = p-1;
>  while (ex < 0 && *dp-- == '0') ex++, dig--; /* Skip trailing zeros. */
>+ if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR;
>  if (base == 16) ex *= 4;
>       }
>     }
>@@ -462,7 +464,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o,
>       if (!lj_char_isdigit(*p)) return STRSCAN_ERROR;
>       xx = (*p++ & 15);
>       while (lj_char_isdigit(*p)) {
>- if (xx < 65536) xx = xx * 10 + (*p & 15);
>+ xx = xx * 10 + (*p & 15);
>+ if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR;
>  p++;
>       }
>       ex += negx ? -(int32_t)xx : (int32_t)xx;
>diff --git a/test/tarantool-tests/lj-788-limit-exponents-range.test.lua b/test/tarantool-tests/lj-788-limit-exponents-range.test.lua
>new file mode 100644
>index 00000000..8ab31600
>--- /dev/null
>+++ b/test/tarantool-tests/lj-788-limit-exponents-range.test.lua
>@@ -0,0 +1,29 @@
>+local tap = require('tap')
>+
>+-- Test file to demonstrate incorrect behaviour of exponent number
>+-- form parsing.
>+-- See also:  https://github.com/LuaJIT/LuaJIT/issues/788 .
>+local test = tap.test('lj-788-limit-exponents-range')
>+test:plan(2)
>+
>+-- Before the patch, the powers greater than (1 << 16) * 10
>+-- (655360) were parsed incorrectly. After the patch, powers
>+-- greater than 1 << 20 (1048576 `STRSCAN_MAXEXP`) are considered
>+-- invalid. See <src/lj_strscan.c> for details.
>+-- Choose the first value between these values and the second
>+-- value bigger than `STRSCAN_MAXEXP` to check parsing correctness
>+-- for the first one, and `STRSCAN_ERROR` for the second case.
>+local PARSABLE_EXP_POWER = 1000000
>+local TOO_LARGE_EXP_POWER = 1050000
>+
>+local function form_exp_string(n)
>+ return '0.' .. string.rep('0', n - 1) .. '1e' .. tostring(n)
>+end
>+
>+test:is(tonumber(form_exp_string(PARSABLE_EXP_POWER)), 1,
>+ 'correct parsing of large exponent')
>+
>+test:is(tonumber(form_exp_string(TOO_LARGE_EXP_POWER)), nil,
>+ 'too big exponent power is not parsed')
>+
>+test:done(true)
>--
>2.42.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.tarantool.org/pipermail/tarantool-patches/attachments/20231122/ebb6eb16/attachment.htm>