From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id ADBC976B512; Wed, 24 Jan 2024 00:18:48 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org ADBC976B512 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1706044728; bh=g+7T0zR1IFH4MFDYWhYbrJHrpYhZCUgdIOvLT24BAYI=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=pOK7SG4cVQqGs2PitUKcUlL3p3LUpQC4WeYNxqnfiewMaECc+st7pV+nQgYFtQSBa oK9/bNwTdK6yNnEuWtuD/X1zz+EF+if7FBjbApYFtTTs+MdvrGFk399Q2W0urISeD7 WWbgloocrExbupNCi9NlTInYvvdV5QqYDpEGly+g= Received: from smtp42.i.mail.ru (smtp42.i.mail.ru [95.163.41.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id C0CA765A914 for ; Wed, 24 Jan 2024 00:18:46 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org C0CA765A914 Received: by smtp42.i.mail.ru with esmtpa (envelope-from ) id 1rSOAQ-001nXE-0L; Wed, 24 Jan 2024 00:18:46 +0300 Date: Wed, 24 Jan 2024 00:14:32 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Cc: tarantool-patches@dev.tarantool.org Message-ID: References: <20231121085253.13526-1-skaplun@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231121085253.13526-1-skaplun@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD9E62ABF8986B18E620EA089B3A140F95D2C784B27FED6762D1313CFAB8367EF908E2BE116634AD74DB24B5255133BD805E61C35973610CBF4156F75B71B1C0094217A548D7C17D9D2 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE727FD6E7FC3A8F857EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063770F3384661E7DC4D8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D800EB8E848EC2EA9F86447B71897704B9117882F4460429724CE54428C33FAD305F5C1EE8F4F765FCF80095D1E57F4578A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD186FD1C55BDD38FC3FD2E47CDBA5A96583BA9C0B312567BB231DD303D21008E29813377AFFFEAFD269176DF2183F8FC7C088D2E8BEBF93D4B068655334FD4449CB9ECD01F8117BC8BEAAAE862A0553A39223F8577A6DFFEA7C8BDE37D78FCB031643847C11F186F3C59DAA53EE0834AAEE X-C1DE0DAB: 0D63561A33F958A559CB8FB1F7CA4C2D194DBF344C2E75FA3E15D5C58A09B520F87CCE6106E1FC07E67D4AC08A07B9B017119E5299B287EECB5012B2E24CD356 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF9E9BF891E4FC664696938FD6EA1CFD9AE488AC53618D60412A1E292DB1E38D41F85183ADB301C8A84BEAD515961AA0A7E245BB4E5E82853A1C3A7F37AD0E78C5E48CAC7CA610320002C26D483E81D6BE5EF9655DD6DEA7D65774BB76CC95456EEC5B5AD62611EEC62B5AFB4261A09AF0 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojGSQVxX8i/5XRkK4RwxsNVg== X-DA7885C5: 3424AE1A2F98F05AF2AA59BFD615C980A46FD386E9CE114BF1235F7F36A4CE3E262E2D401490A4A0DB037EFA58388B346E8BC1A9835FDE71 X-Mailru-Sender: 689FA8AB762F7393590D8C940224AE332544E4FBBE6807C91F5AE69C21DD6A9A0FBE9A32752B8C9C2AA642CC12EC09F1FB559BB5D741EB962F61BD320559CF1EFD657A8799238ED55FEEDEB644C299C0ED14614B50AE0675 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Limit exponent range in number parsing. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Reported by XmiliaH. (cherry-picked from commit e56048753634c32ea6eeedf74cef6f9cfea5f4ed) When parsing exponent powers greater than (1 << 16) * 10 == (65536 * 10), the exponent values are cut without handling any values greater. This patch fixes the behaviour, but restricts the power maximum value by `STRSCAN_MAXEXP` (1 << 20). Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9145 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-788-limit-exponents-range Tarantool PR: https://github.com/tarantool/tarantool/pull/9386 Related issues: * https://github.com/LuaJIT/LuaJIT/issues/788 * https://github.com/tarantool/tarantool/issues/9145 src/lj_strscan.c | 5 +++- .../lj-788-limit-exponents-range.test.lua | 29 +++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 test/tarantool-tests/lj-788-limit-exponents-range.test.lua diff --git a/src/lj_strscan.c b/src/lj_strscan.c index ae8945e1..129010fd 100644 --- a/src/lj_strscan.c +++ b/src/lj_strscan.c @@ -63,6 +63,7 @@ #define STRSCAN_MAXDIG 800 /* 772 + extra are sufficient. */ #define STRSCAN_DDIG (STRSCAN_DIG/2) #define STRSCAN_DMASK (STRSCAN_DDIG-1) +#define STRSCAN_MAXEXP (1 << 20) /* Helpers for circular buffer. */ #define DNEXT(a) (((a)+1) & STRSCAN_DMASK) @@ -449,6 +450,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o, if (dig) { ex = (int32_t)(dp-(p-1)); dp = p-1; while (ex < 0 && *dp-- == '0') ex++, dig--; /* Skip trailing zeros. */ + if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR; if (base == 16) ex *= 4; } } @@ -462,7 +464,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, MSize len, TValue *o, if (!lj_char_isdigit(*p)) return STRSCAN_ERROR; xx = (*p++ & 15); while (lj_char_isdigit(*p)) { - if (xx < 65536) xx = xx * 10 + (*p & 15); + xx = xx * 10 + (*p & 15); + if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR; p++; } ex += negx ? -(int32_t)xx : (int32_t)xx; diff --git a/test/tarantool-tests/lj-788-limit-exponents-range.test.lua b/test/tarantool-tests/lj-788-limit-exponents-range.test.lua new file mode 100644 index 00000000..8ab31600 --- /dev/null +++ b/test/tarantool-tests/lj-788-limit-exponents-range.test.lua @@ -0,0 +1,29 @@ +local tap = require('tap') + +-- Test file to demonstrate incorrect behaviour of exponent number +-- form parsing. +-- See also: https://github.com/LuaJIT/LuaJIT/issues/788. +local test = tap.test('lj-788-limit-exponents-range') +test:plan(2) + +-- Before the patch, the powers greater than (1 << 16) * 10 +-- (655360) were parsed incorrectly. After the patch, powers +-- greater than 1 << 20 (1048576 `STRSCAN_MAXEXP`) are considered +-- invalid. See for details. +-- Choose the first value between these values and the second +-- value bigger than `STRSCAN_MAXEXP` to check parsing correctness +-- for the first one, and `STRSCAN_ERROR` for the second case. +local PARSABLE_EXP_POWER = 1000000 +local TOO_LARGE_EXP_POWER = 1050000 + +local function form_exp_string(n) + return '0.' .. string.rep('0', n - 1) .. '1e' .. tostring(n) +end + +test:is(tonumber(form_exp_string(PARSABLE_EXP_POWER)), 1, + 'correct parsing of large exponent') + +test:is(tonumber(form_exp_string(TOO_LARGE_EXP_POWER)), nil, + 'too big exponent power is not parsed') + +test:done(true) -- 2.42.1 -- Best regards, Sergey Kaplun