]> git.proxmox.com Git - mirror_ovs.git/commitdiff
projects / mirror_ovs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bc759a2)
json: Avoid signed integer overflow in parsing exponents.
authorBen Pfaff <blp@ovn.org>
Mon, 25 Jun 2018 18:23:36 +0000 (11:23 -0700)
committerBen Pfaff <blp@ovn.org>
Thu, 5 Jul 2018 22:08:20 +0000 (15:08 -0700)
This can't cause a crash and doesn't seem relevant to normal operation.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9044
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
lib/json.c patch | blob | blame | history
tests/json.at patch | blob | blame | history

diff --git a/lib/json.c b/lib/json.c
index 99a68a3d9eaccfbc1bb4ab2498595e9edc357f4e..32d25003b81098ae442119de179843fbd2d326b8 100644 (file)
--- a/lib/json.c
+++ b/lib/json.c
@@ -718,16 +718,21 @@ json_lex_number(struct json_parser *p)
         exponent = 0;
         do {
             if (exponent >= INT_MAX / 10) {
-                json_error(p, "exponent outside valid range");
-                return;
+                goto bad_exponent;
             }
             exponent = exponent * 10 + (*cp - '0');
             cp++;
         } while (isdigit((unsigned char) *cp));
 
         if (negative_exponent) {
+            if (pow10 < INT_MIN + exponent) {
+                goto bad_exponent;
+            }
             pow10 -= exponent;
         } else {
+            if (pow10 > INT_MAX - exponent) {
+                goto bad_exponent;
+            }
             pow10 += exponent;
         }
     }
@@ -777,6 +782,10 @@ json_lex_number(struct json_parser *p)
         token.real = 0;
     }
     json_parser_input(p, &token);
+    return;
+
+bad_exponent:
+    json_error(p, "exponent outside valid range");
 }
 
 static const char *
diff --git a/tests/json.at b/tests/json.at
index 325ac94354b3de4c35885f69b6cd6cd275c1d315..3c9e7cdafda14e5ec2b920c425c71c040e233031 100644 (file)
--- a/tests/json.at
+++ b/tests/json.at
@@ -279,10 +279,22 @@ JSON_CHECK_NEGATIVE(
   [1e9999 is too big],
   [[[1e9999]]],
   [error: number outside valid range])
-JSON_CHECK_NEGATIVE(
+JSON_CHECK_NEGATIVE_C(
   [exponent bigger than INT_MAX],
   [[[1e9999999999999999999]]],
   [error: exponent outside valid range])
+JSON_CHECK_NEGATIVE_C(
+  [exponent smaller than INT_MIN],
+  [[[1e-9999999999999999999]]],
+  [error: exponent outside valid range])
+JSON_CHECK_NEGATIVE_C(
+  [accumulated exponent bigger than INT_MAX],
+  [[[340282366920938463461761716499e2147483647]]],
+  [error: exponent outside valid range])
+JSON_CHECK_NEGATIVE_C(
+  [accumulated exponent smaller than INT_MIN],
+  [[[0.340282366920938463461761716499e-2147483648]]],
+  [error: exponent outside valid range])
 JSON_CHECK_NEGATIVE(
   [decimal point must be followed by digit],
   [[[1.]]],
openvswitch mirror