diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d782ce0..4df540ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,13 @@ HEAD > + doc["strings"] = JsonString("hello\0world", 11) > ``` +v7.4.3 (2026-03-02) +------ + +* Fix a buffer overrun in `as()` when `T` is a numeric type and + the variant contains a string representing a floating point number + with a large number of digits (issue #2220) + v7.4.2 (2025-06-20) ------ diff --git a/extras/tests/Numbers/parseDouble.cpp b/extras/tests/Numbers/parseDouble.cpp index a4592790..11d3f182 100644 --- a/extras/tests/Numbers/parseDouble.cpp +++ b/extras/tests/Numbers/parseDouble.cpp @@ -93,4 +93,34 @@ TEST_CASE("parseNumber()") { checkDoubleNaN("NaN"); checkDoubleNaN("nan"); } + + SECTION("Overflow exponent with decimal part") { // Issue #2220 + checkDoubleNaN( + "0.000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000001"); + } + + SECTION("Overflow exponent with integral part") { + checkDoubleNaN( + "10000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000" + "00000000000000000000000000000000000000000000000000"); + } } diff --git a/src/ArduinoJson/Numbers/FloatTraits.hpp b/src/ArduinoJson/Numbers/FloatTraits.hpp index af418fa5..9bac8d50 100644 --- a/src/ArduinoJson/Numbers/FloatTraits.hpp +++ b/src/ArduinoJson/Numbers/FloatTraits.hpp @@ -198,10 +198,13 @@ inline TFloat make_float(TFloat m, TExponent e) { auto powersOfTen = e > 0 ? traits::positiveBinaryPowersOfTen() : traits::negativeBinaryPowersOfTen(); + if (e <= 0) e = TExponent(-e); for (uint8_t index = 0; e != 0; index++) { + if (index >= powersOfTen.size()) + return traits::nan(); if (e & 1) m *= powersOfTen[index]; e >>= 1;