archive-gh-me/jerryscript
1
0
Fork 0
mirror of https://github.com/jerryscript-project/jerryscript.git synced 2025-12-15 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Fix buffer overflow in string radix conversion (#4850)

Browse Source 
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
This commit is contained in:
Robert Fancsik 2021-12-07 15:28:10 +01:00 committed by GitHub
parent 18dd9aa75a
commit 55acdf2048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
jerry-core/ecma/base/ecma-helpers-conversion.c
View File

@ -368,16 +368,6 @@ ecma_utf8_string_to_number (const lit_utf8_byte_t *str_p, /**< utf-8 string */
bool sign = false;
if (*str_p == LIT_CHAR_PLUS)
{
str_p++;
}
else if (*str_p == LIT_CHAR_MINUS)
{
sign = true;
str_p++;
}
if (str_p + 2 < end_p && str_p[0] == LIT_CHAR_0)
{
uint8_t radix = lit_char_to_radix (str_p[1]);
@ -388,6 +378,16 @@ ecma_utf8_string_to_number (const lit_utf8_byte_t *str_p, /**< utf-8 string */
}
}
if (*str_p == LIT_CHAR_PLUS)
{
str_p++;
}
else if (*str_p == LIT_CHAR_MINUS)
{
sign = true;
str_p++;
}
/* Check if string is equal to "Infinity". */
const lit_utf8_byte_t *infinity_str_p = lit_get_magic_string_utf8 (LIT_MAGIC_STRING_INFINITY_UL);
const lit_utf8_size_t infinity_length = lit_get_magic_string_size (LIT_MAGIC_STRING_INFINITY_UL);

2
jerry-core/ecma/base/ecma-helpers-number.c
View File

@ -659,7 +659,7 @@ ecma_number_parse_float (const lit_utf8_byte_t *str_p, /**< routine's first argu
}
/* 5. */
ecma_number_t ret_num = ecma_utf8_string_to_number (num_start_p, (lit_utf8_size_t) (num_end_p - num_start_p), 0);
ecma_number_t ret_num = ecma_utf8_string_to_number (num_start_p, num_size, 0);
if (sign)
{

23
tests/jerry/regression-test-issue-4850.js Normal file
View File

@ -0,0 +1,23 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
assert(Number('0x10') === 16);
assert(isNaN(Number('+0x10')));
assert(isNaN(Number('-0x10')));
assert(parseFloat('0x10') === 0);
assert(parseFloat('+0x10') === 0);
assert(parseFloat('-0x10') === 0);
assert(0x10 === 16);
assert(+0x10 === 16);
assert(-0x10 === -16);