Fix buffer overrun in make_float()

Fixes #2220
This commit is contained in:
Benoit Blanchon
2026-03-02 10:35:44 +01:00
parent 464b054ac6
commit ff2db174ff
3 changed files with 41 additions and 0 deletions
+3
View File
@@ -6,6 +6,9 @@ HEAD
* Improve error messages when using `char` or `char*` (issue #2043)
* Make string support even more generic (PR #2084 by @d-a-v)
* Fix a buffer overrun in `as<T>()` when `T` is a numeric type and
the variant contains a string representing a floating point number
with a large number of digits (issue #2220)
v6.21.5 (2024-01-10)
-------
+30
View File
@@ -93,4 +93,34 @@ TEST_CASE("parseNumber<double>()") {
checkDoubleNaN("NaN");
checkDoubleNaN("nan");
}
SECTION("Overflow exponent with decimal part") { // Issue #2220
checkDoubleNaN(
"0.000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000001");
}
SECTION("Overflow exponent with integral part") {
checkDoubleNaN(
"10000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000");
}
}
+8
View File
@@ -29,6 +29,8 @@ struct FloatTraits<T, 8 /*64bits*/> {
typedef int16_t exponent_type;
static const exponent_type exponent_max = 308;
static const size_t binaryPowersOfTen = 9;
static pgm_ptr<T> positiveBinaryPowersOfTen() {
ARDUINOJSON_DEFINE_PROGMEM_ARRAY( //
uint64_t, factors,
@@ -113,6 +115,8 @@ struct FloatTraits<T, 4 /*32bits*/> {
typedef int8_t exponent_type;
static const exponent_type exponent_max = 38;
static const size_t binaryPowersOfTen = 6;
static pgm_ptr<T> positiveBinaryPowersOfTen() {
ARDUINOJSON_DEFINE_PROGMEM_ARRAY(uint32_t, factors,
{
@@ -198,10 +202,14 @@ inline TFloat make_float(TFloat m, TExponent e) {
auto powersOfTen = e > 0 ? traits::positiveBinaryPowersOfTen()
: traits::negativeBinaryPowersOfTen();
auto count = traits::binaryPowersOfTen;
if (e <= 0)
e = TExponent(-e);
for (uint8_t index = 0; e != 0; index++) {
if (index >= count)
return traits::nan();
if (e & 1)
m *= powersOfTen[index];
e >>= 1;