From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Tue, 27 Aug 2019 15:58:43 +0000 (+0300)
Subject: Fixed integer-overflow while parsing exponent of number literals.
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=037f5bc8f50e03ce93dfcfbff3cadff6993eab4c;p=njs.git

Fixed integer-overflow while parsing exponent of number literals.
---

diff --git a/src/njs_strtod.c b/src/njs_strtod.c
index 898cebe4..1cc3a924 100644
--- a/src/njs_strtod.c
+++ b/src/njs_strtod.c
@@ -251,6 +251,7 @@ njs_diyfp_strtod(const u_char *start, size_t length, int exp)
 static double
 njs_strtod_internal(const u_char *start, size_t length, int exp)
 {
+    int           shift;
     size_t        left, right;
     const u_char  *p, *e, *b;
 
@@ -291,17 +292,17 @@ njs_strtod_internal(const u_char *start, size_t length, int exp)
         return 0.0;
     }
 
-    exp += (int) (left - right);
+    shift = (int) (left - right);
 
-    if (exp + (int) length - 1 >= NJS_DECIMAL_POWER_MAX) {
+    if (exp >= NJS_DECIMAL_POWER_MAX - shift - (int) length + 1) {
         return INFINITY;
     }
 
-    if (exp + (int) length <= NJS_DECIMAL_POWER_MIN) {
+    if (exp <= NJS_DECIMAL_POWER_MIN - shift - (int) length) {
         return 0.0;
     }
 
-    return njs_diyfp_strtod(start, length, exp);
+    return njs_diyfp_strtod(start, length, exp + shift);
 }
 
 
@@ -386,7 +387,9 @@ njs_strtod(const u_char **start, const u_char *end)
                     break;
                 }
 
-                exp = exp * 10 + c;
+                if (exp < (INT_MAX - 9) / 10) {
+                    exp = exp * 10 + c;
+                }
             }
 
             exponent += minus ? -exp : exp;
diff --git a/src/njs_unix.h b/src/njs_unix.h
index 89e8a6b7..c9fc2f07 100644
--- a/src/njs_unix.h
+++ b/src/njs_unix.h
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <math.h>
 #include <float.h>
+#include <limits.h>
 #include <time.h>
 #include <fcntl.h>
 
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index f61eb3f3..64e316eb 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -12366,6 +12366,21 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("parseFloat('12345abc')"),
       njs_str("12345") },
 
+    { njs_str("parseFloat('1e2147483647')"),
+      njs_str("Infinity") },
+
+    { njs_str("parseFloat('1e-2147483647')"),
+      njs_str("0") },
+
+    { njs_str("parseFloat('1e-2147483648')"),
+      njs_str("0") },
+
+    { njs_str("parseFloat('1e' + '5'.repeat(16))"),
+      njs_str("Infinity") },
+
+    { njs_str("parseFloat('1e-' + '5'.repeat(16))"),
+      njs_str("0") },
+
     { njs_str("parseFloat('0x')"),
       njs_str("0") },