Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(json): int64 overflow in JSON numop #2340

Closed
wants to merge 12 commits into from
Closed

fix(json): int64 overflow in JSON numop #2340

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ae25942
fix number ranger
q3356564 May 29, 2024
2afcfc5
fix blank
q3356564 May 30, 2024
07b4694
Merge branch 'unstable' into fix-remote-over-range
PragmaTwice May 30, 2024
ce50a66
fix
q3356564 May 31, 2024
d872848
fix
q3356564 May 31, 2024
2430971
fix
q3356564 May 31, 2024
82247bc
fix
q3356564 May 31, 2024
28c2628
Merge branch 'fix-over-range' of https://github.com/jackyyyyyssss/kvr…
q3356564 May 31, 2024
d80a6fb
Merge branch 'fix-remote-over-range' of https://github.com/jackyyyyys…
q3356564 May 31, 2024
5daec01
fix
q3356564 May 31, 2024
4f6931a
fix
q3356564 May 31, 2024
e58f620
fix
q3356564 May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/common/bit_util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@ inline size_t RawPopcount(const uint8_t *p, int64_t count) {

return bits;
}
inline bool Int64OperationOverFlow(int64_t a, int64_t b, int64_t result, uint8_t operation) {
if (operation == 1) {
return __builtin_add_overflow(a, b, &result);
} else {
return __builtin_mul_overflow(a, b, &result);
}
}
Copy link
Member

@PragmaTwice PragmaTwice May 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function looks very weird. What's operation? What's 1 here? Why mul is executed if operation is not 1?

Please remove it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, this function is totally wrong since the result is passed by value.


template <typename T = void>
inline int ClzllWithEndian(uint64_t x) {
Expand Down
15 changes: 15 additions & 0 deletions src/types/json.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
#include <limits>
#include <string>

#include "common/bit_util.h"
#include "common/string_util.h"
#include "jsoncons_ext/jsonpath/jsonpath_error.hpp"
#include "status.h"
Expand Down Expand Up @@ -575,6 +576,11 @@ struct JsonValue {
result->value.push_back(jsoncons::json::null());
return;
}
if (CheckJsonInt64OverFlow(number.value) || CheckJsonInt64OverFlow(origin)) {
status = {Status::RedisExecErr, "number out of range"};
return;
}

if (number.value.is_double() || origin.is_double()) {
double v = 0;
if (op == NumOpEnum::Incr) {
Expand All @@ -588,6 +594,12 @@ struct JsonValue {
}
origin = v;
} else {
int64_t v = 0;
if (util::Int64OperationOverFlow(origin.as_integer<int64_t>(), number.value.as_integer<int64_t>(), v,
static_cast<uint8_t>(op))) {
status = {Status::RedisExecErr, "number out of range"};
return;
}
if (op == NumOpEnum::Incr) {
origin = origin.as_integer<int64_t>() + number.value.as_integer<int64_t>();
} else if (op == NumOpEnum::Mul) {
Expand All @@ -601,6 +613,9 @@ struct JsonValue {
}
return status;
}
static bool CheckJsonInt64OverFlow(const jsoncons::json &check_value) {
return (check_value.is_number() && (!check_value.is_int64() && !check_value.is_double()));
}

JsonValue(const JsonValue &) = default;
JsonValue(JsonValue &&) = default;
Expand Down
12 changes: 12 additions & 0 deletions tests/gocase/unit/type/json/json_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,18 @@ func TestJson(t *testing.T) {
EqualJSON(t, `[1]`, rdb.Do(ctx, "JSON.NUMINCRBY", "a", "$.foo", 1).Val())
EqualJSON(t, `[1]`, rdb.Do(ctx, "JSON.GET", "a", "$.foo").Val())
EqualJSON(t, `[3]`, rdb.Do(ctx, "JSON.NUMINCRBY", "a", "$.foo", 2).Val())
//args overflow
require.Error(t, rdb.Do(ctx, "JSON.NUMINCRBY", "a", "$.foo", "22222222222222222222222222222222222222222222222222222").Err())
require.Error(t, rdb.Do(ctx, "JSON.NUMMULTBY", "a", "$.foo", "22222222222222222222222222222222222222222222222222222").Err())
//origin overflow
require.NoError(t, rdb.Do(ctx, "JSON.SET", "over_flow", "$", `{ "foo":9223372036854775809, "bar": "baz" }`).Err())
require.Error(t, rdb.Do(ctx, "JSON.NUMINCRBY", "over_flow", "$.foo", 2).Err())
require.Error(t, rdb.Do(ctx, "JSON.NUMMULTBY", "over_flow", "$.foo", 2).Err())
//result overflow 9223372036854775806<std::numeric_limits::max()
require.NoError(t, rdb.Do(ctx, "JSON.SET", "over_flow", "$", `{ "foo":9223372036854775806, "bar": "baz" }`).Err())
require.Error(t, rdb.Do(ctx, "JSON.NUMINCRBY", "over_flow", "$.foo", 20).Err())
require.Error(t, rdb.Do(ctx, "JSON.NUMMULTBY", "over_flow", "$.foo", 2).Err())

EqualJSON(t, `[3.5]`, rdb.Do(ctx, "JSON.NUMINCRBY", "a", "$.foo", 0.5).Val())

// wrong type
Expand Down
Loading