Fix buffer overrun in make_float()

Fixes #2220
This commit is contained in:
Benoit Blanchon
2026-03-02 10:35:44 +01:00
parent ab8c9be609
commit 5ccf645dc1
3 changed files with 40 additions and 0 deletions
+7
View File
@@ -35,6 +35,13 @@ HEAD
> + doc["strings"] = JsonString("hello\0world", 11)
> ```
v7.4.3 (2026-03-02)
------
* Fix a buffer overrun in `as<T>()` when `T` is a numeric type and
the variant contains a string representing a floating point number
with a large number of digits (issue #2220)
v7.4.2 (2025-06-20)
------
+30
View File
@@ -93,4 +93,34 @@ TEST_CASE("parseNumber<double>()") {
checkDoubleNaN("NaN");
checkDoubleNaN("nan");
}
SECTION("Overflow exponent with decimal part") { // Issue #2220
checkDoubleNaN(
"0.000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000001");
}
SECTION("Overflow exponent with integral part") {
checkDoubleNaN(
"10000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000");
}
}
+3
View File
@@ -198,10 +198,13 @@ inline TFloat make_float(TFloat m, TExponent e) {
auto powersOfTen = e > 0 ? traits::positiveBinaryPowersOfTen()
: traits::negativeBinaryPowersOfTen();
if (e <= 0)
e = TExponent(-e);
for (uint8_t index = 0; e != 0; index++) {
if (index >= powersOfTen.size())
return traits::nan();
if (e & 1)
m *= powersOfTen[index];
e >>= 1;