Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing "128.74836467836484838364836483643636483648e-336" causes a crash #1251

Closed
StilesCrisis opened this issue May 11, 2018 · 3 comments
Closed

Parsing "128.74836467836484838364836483643636483648e-336" causes a crash #1251

StilesCrisis opened this issue May 11, 2018 · 3 comments
Labels
bug
Milestone
v1.2 Beta

Comments

@StilesCrisis
Copy link
Contributor

The number "128.74836467836484838364836483643636483648e-336" causes rapidjson::internal::GetCachedPower10 to overflow a signed integer.

Sanitizer report:
third_party/rapidjson/include/rapidjson/internal/diyfp.h:242:47: runtime error: signed integer overflow: 536870911 * 8 cannot be represented in type 'int'
@StilesCrisis
Copy link
Contributor Author

This can lead to a segfault.

Program received signal SIGSEGV, Segmentation fault.
GetCachedPower10 (outExp=, exp=-353) at ~/github/rapidjson/include/rapidjson/internal/diyfp.h:244
244 return GetCachedPowerByIndex(index);
(gdb) bt
#0 GetCachedPower10 (outExp=, exp=-353) at ~/github/rapidjson/include/rapidjson/internal/diyfp.h:244
#1 StrtodDiyFp (result=, exp=, decimalPosition=, length=, decimals=)
at ~/github/rapidjson/include/rapidjson/internal/strtod.h:154
#2 StrtodFullPrecision (exp=-336, decimalPosition=3, length=, decimals=0x555555dfb800 "12874836467836484838364836483643636483648", p=,
d=) at ~/github/rapidjson/include/rapidjson/internal/strtod.h:259
#3 rapidjson::GenericReader<rapidjson::UTF8, rapidjson::UTF8, rapidjson::CrtAllocator>::ParseNumber<16u, rapidjson::GenericStringStream<rapidjson::UTF8 >, ParseDoubleHandler> (this=this@entry=0x7fffffffd920, is=..., handler=...) at ~/github/rapidjson/include/rapidjson/reader.h:1692
#4 0x00005555558653d7 in rapidjson::GenericReader<rapidjson::UTF8, rapidjson::UTF8, rapidjson::CrtAllocator>::ParseValue<16u, rapidjson::GenericStringStream<rapidjson::UTF8 >, ParseDoubleHandler> (this=this@entry=0x7fffffffd920, is=..., handler=...)
at ~/github/rapidjson/include/rapidjson/reader.h:1731
#5 0x0000555555865a3b in rapidjson::GenericReader<rapidjson::UTF8, rapidjson::UTF8, rapidjson::CrtAllocator>::Parse<16u, rapidjson::GenericStringStream<rapidjson::UTF8 >, ParseDoubleHandler> (this=this@entry=0x7fffffffd920, is=..., handler=...) at ~/github/rapidjson/include/rapidjson/reader.h:573
#6 0x00005555557d485e in TestParseDouble () at ~/github/rapidjson/test/unittest/readertest.cpp:247
#7 0x0000555555adf7ea in HandleSehExceptionsInMethodIfSupported<testing::Test, void> (location=0x555555b0f41a "the test body", method=, object=0x555555dd0d40)
at ~/github/rapidjson/thirdparty/gtest/googletest/src/gtest.cc:2402

@StilesCrisis StilesCrisis changed the title Parsing "128.74836467836484838364836483643636483648e-336" causes UB Parsing "128.74836467836484838364836483643636483648e-336" causes a crash May 11, 2018
StilesCrisis added a commit to StilesCrisis/rapidjson that referenced this issue May 11, 2018
@StilesCrisis
Added test for issue Tencent#1251
1329cde
@StilesCrisis
Copy link
Contributor Author

Unit test demonstrating the behavior is now in #1252

@abolz abolz mentioned this issue Jun 15, 2018
Merged
@miloyip miloyip added this to the v1.2 Beta milestone Jun 21, 2018
@miloyip miloyip added the bug label Jun 21, 2018
@miloyip
Copy link
Collaborator

miloyip commented Jun 21, 2018

Fixed in #1290

@miloyip miloyip closed this as completed Jun 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.2 Beta
Development

No branches or pull requests
2 participants
@miloyip @StilesCrisis