From 6d8c287032f9b87f1d787d41ecf9c37cdf29892c Mon Sep 17 00:00:00 2001 From: Petri Lehtinen Date: Sun, 13 Sep 2009 13:15:34 +0300 Subject: [PATCH] load: Check for integer and real overlfows and underflows Backported from master, commit 5406c2b3d347505149d382213b6f318f8c35de6a: * deleted test/testdata/invalid-stripped because the stripped tests don't exist in 1.0 --- src/load.c | 49 +++++++++++++++++++++++++++++++++++-------- test/testdata/invalid | 25 ++++++++++++++++++++++ 2 files changed, 65 insertions(+), 9 deletions(-) diff --git a/src/load.c b/src/load.c index fc3679d..5175f35 100644 --- a/src/load.c +++ b/src/load.c @@ -8,6 +8,7 @@ #define _GNU_SOURCE #include #include +#include #include #include #include @@ -399,10 +400,11 @@ out: free(lex->value.string); } -static void lex_scan_number(lex_t *lex, char c, json_error_t *error) +static int lex_scan_number(lex_t *lex, char c, json_error_t *error) { const char *saved_text; char *end; + double value; lex->token = TOKEN_INVALID; @@ -423,14 +425,26 @@ static void lex_scan_number(lex_t *lex, char c, json_error_t *error) } if(c != '.' && c != 'E' && c != 'e') { + long value; + lex_unget_unsave(lex, c); - lex->token = TOKEN_INTEGER; saved_text = strbuffer_value(&lex->saved_text); - lex->value.integer = strtol(saved_text, &end, 10); + value = strtol(saved_text, &end, 10); assert(end == saved_text + lex->saved_text.length); - return; + if((value == LONG_MAX && errno == ERANGE) || value > INT_MAX) { + error_set(error, lex, "too big integer"); + goto out; + } + else if((value == LONG_MIN && errno == ERANGE) || value < INT_MIN) { + error_set(error, lex, "too big negative integer"); + goto out; + } + + lex->token = TOKEN_INTEGER; + lex->value.integer = (int)value; + return 0; } if(c == '.') { @@ -460,14 +474,29 @@ static void lex_scan_number(lex_t *lex, char c, json_error_t *error) } lex_unget_unsave(lex, c); - lex->token = TOKEN_REAL; saved_text = strbuffer_value(&lex->saved_text); - lex->value.real = strtod(saved_text, &end); + value = strtod(saved_text, &end); assert(end == saved_text + lex->saved_text.length); + if(value == 0 && errno == ERANGE) { + error_set(error, lex, "real number underflow"); + goto out; + } + + /* Cannot test for +/-HUGE_VAL because the HUGE_VAL constant is + only defined in C99 mode. So let's trust in sole errno. */ + else if(errno == ERANGE) { + error_set(error, lex, "real number overflow"); + goto out; + } + + lex->token = TOKEN_REAL; + lex->value.real = value; + return 0; + out: - return; + return -1; } static int lex_scan(lex_t *lex, json_error_t *error) @@ -506,8 +535,10 @@ static int lex_scan(lex_t *lex, json_error_t *error) else if(c == '"') lex_scan_string(lex, error); - else if(isdigit(c) || c == '-') - lex_scan_number(lex, c, error); + else if(isdigit(c) || c == '-') { + if(lex_scan_number(lex, c, error)) + goto out; + } else if(isupper(c) || islower(c)) { /* eat up the whole identifier for clearer error messages */ diff --git a/test/testdata/invalid b/test/testdata/invalid index 2887692..1a70422 100644 --- a/test/testdata/invalid +++ b/test/testdata/invalid @@ -127,6 +127,21 @@ invalid token near '1e' ==== 1 invalid token near '1e' +==== real-positive-overflow ==== +[123123e100000] +==== +1 +real number overflow near '123123e100000' +==== real-negative-overflow ==== +[-123123e100000] +==== +1 +real number overflow near '-123123e100000' +==== real-underflow ==== +[123e-10000000] +==== +1 +real number underflow near '123e-10000000' ==== integer-starting-with-zero ==== [012] ==== @@ -137,6 +152,16 @@ invalid token near '0' ==== 1 invalid token near '-0' +==== too-big-positive-integer ==== +[123123123123123] +==== +1 +too big integer near '123123123123123' +==== too-big-negative-integer ==== +[-123123123123123] +==== +1 +too big negative integer near '-123123123123123' ==== invalid-identifier ==== [troo ====