From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id D276A9DD9B2;
	Tue, 30 Jan 2024 18:08:34 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D276A9DD9B2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1706627314; bh=s71kEGdWrUwv+C8PNuJc/KoVKCTGD76rNAMcj0MAUuk=;
	h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=BRzuHLNGKmhomVyjosKRYLmoqP/2bzL1y4uVph+ZLkBpnoHMwTm7zUK91Vq7SR/kE
	 UNsrmQzDoMzD2Ozpq5mS69FPKvJSRiWyQmqoWW9ZG06dS/FH3QBZBwewJkTLjqi62r
	 5/uWqm6GCFFG9T76adAbWvqteorhqRxN8n0lvJFk=
Received: from smtp16.i.mail.ru (smtp16.i.mail.ru [95.163.41.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id B8D0C7346C1
 for <tarantool-patches@dev.tarantool.org>;
 Tue, 30 Jan 2024 18:08:32 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org B8D0C7346C1
Received: by smtp16.i.mail.ru with esmtpa (envelope-from
 <skaplun@tarantool.org>)
 id 1rUpix-00000009nmx-2rPF; Tue, 30 Jan 2024 18:08:32 +0300
To: Maxim Kokryashkin <m.kokryashkin@tarantool.org>,
 Sergey Bronnikov <sergeyb@tarantool.org>
Date: Tue, 30 Jan 2024 18:04:37 +0300
Message-ID: <20240130150437.17133-1-skaplun@tarantool.org>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Mailru-Src: smtp
X-7564579A: EEAE043A70213CC8
X-77F55803: 4F1203BC0FB41BD93C58C36AA2E99649913F598E3EEE18285DA7E33959698359182A05F5380850404C228DA9ACA6FE273C15FF878184C5565D1BE6A8D71B10A5FD9ABB8A7D5426CF38CD1497D49BAB10B6A098A45AF874EE
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7A20935EE237A17ECEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637325F50A45595CD878638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D87D5CF845F65AE197E12E2F06CC43482613999023D85C0BC6CC7F00164DA146DAFE8445B8C89999728AA50765F7900637B18CEC08E50EEB57389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC87AE820D2C17D0E56F6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA7E827F84554CEF5019E625A9149C048EE33AC447995A7AD182BEBFE083D3B9BA73A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735D05AD665AB97B35DC4224003CC83647689D4C264860C145E
X-87b9d050: 1
X-C1DE0DAB: 0D63561A33F958A5E62984E914C022805002B1117B3ED696D5BD0D02DB6200FEED71F038FC046993823CB91A9FED034534781492E4B8EEADFB12F4B11BB5604FC79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41
X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF3D6529AA869ECBDF989E817743773221D59A313CCEE4BA69BF776CBC03E12B59A703FE8D8B5282218FB01E7B8BF01A69F48E5CB251397F082474B4335973C69CDC030A034F431A4FC226CC413062362A913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojHUK3TkZYwr+IRpdjuHjOxg==
X-DA7885C5: F4715D3E64CD0C64F255D290C0D534F9BBE7A116E7BA4E41B94909D74B743CC8F8734F193E9DB8DE5B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E
X-Mailru-Sender: 689FA8AB762F7393590D8C940224AE3365FADE07EA2B4BBD40DB55470698C0153BE4D4A41490914CE49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F
X-Mras: Ok
Subject: [Tarantool-patches] [PATCH luajit] Fix zero stripping in %g number
 formatting.
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Kaplun <skaplun@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

From: Mike Pall <mike>

Reported by pwnhacker0x18.

(cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc)

In the situation when the precision (`prec`) and amount of digits
(`hilen`) for the decimal representation are the same and `ndhi` == 0,
the `ndlo` part will become 64 (the size of the `nd` stack buffer), and
the overflow occurs.

This patch adds the corresponding mask (0x3f == 63) for the `ndlo`
incrementation result.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#9595
---

Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1149-g-number-formating
Tarantool PR: https://github.com/tarantool/tarantool/pull/9633

The test <app-tap/gh-2717-no-quit-sigint.test.lua> fails on M1 with the
timeout (see the example [1]). This fail is patch-unrelated, since I've
obscured this failure even for the branch without sources changes (tests
only).

Related Issues:
* https://github.com/LuaJIT/LuaJIT/issues/1149
* https://github.com/tarantool/tarantool/issues/9595

[1]: https://github.com/tarantool/luajit/actions/runs/7712549489/job/21020513973#step:8:5522

Duration of failed tests (seconds):
* 60.54 app-tap/gh-2717-no-quit-sigint.test.lua

 src/lj_strfmt_num.c                           |  3 ++-
 .../lj-1149-g-number-formating-bufov.test.lua | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua

diff --git a/src/lj_strfmt_num.c b/src/lj_strfmt_num.c
index c26204b7..c8d9febf 100644
--- a/src/lj_strfmt_num.c
+++ b/src/lj_strfmt_num.c
@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p)
 	    prec--;
 	    if (!i) {
 	      if (ndlo == ndhi) { prec = 0; break; }
-	      lj_strfmt_wuint9(tail, nd[++ndlo]);
+	      ndlo = (ndlo + 1) & 0x3f;
+	      lj_strfmt_wuint9(tail, nd[ndlo]);
 	      i = 9;
 	    }
 	  }
diff --git a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua
new file mode 100644
index 00000000..040fd5de
--- /dev/null
+++ b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua
@@ -0,0 +1,20 @@
+local tap = require('tap')
+
+-- Test file to demonstrate stack-buffer-overflow in the
+-- `lj_strfmt_wfnum()` call.
+-- See also: https://github.com/LuaJIT/LuaJIT/issues/1149.
+
+local test = tap.test('lj-1149-g-number-formating-bufov')
+test:plan(1)
+
+-- XXX: The test shows stack-buffer-overflow only under ASAN.
+-- The number value for the test is with the same precision
+-- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal
+-- representation. Hence, with `ndhi` == 0, the `ndlo` part will
+-- become 64 (the size of the `nd` stack buffer), and the overflow
+-- occurs.
+-- See details in the <src/lj_strfmt_num.c>:`lj_strfmt_wfnum()`.
+test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120',
+        'correct format %7g result')
+
+test:done(true)
-- 
2.43.0