py/parsenum: Avoid undefined behavior parsing floats with large exponents.

Fuzz testing combined with the undefined behavior sanitizer found that parsing unreasonable float literals like 1e+9999999999999 resulted in undefined behavior due to overflow in signed integer arithmetic, and a wrong result being returned.
author: Jeff Epler <jepler@gmail.com> 2018-05-19 10:56:34 -0500
committer: Damien George <damien.p.george@gmail.com> 2018-05-21 12:37:57 +1000
commit: 4f71a2a75a71b89dad2eed147d6e237b633b878e (patch)
tree: df59b91fe3299dbe213a9bdd31875ab790df55f1 /py/parsenum.c
parent: 5efc575067df17be785d2b60124706d789d6cfe0 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/py/parsenum.c b/py/parsenum.c
index 8bd5232eb..ba7e40afd 100644
--- a/py/parsenum.c
+++ b/py/parsenum.c
@@ -234,7 +234,12 @@ mp_obj_t mp_parse_num_decimal(const char *str, size_t len, bool allow_imag, bool
             if ('0' <= dig && dig <= '9') {
                 dig -= '0';
                 if (in == PARSE_DEC_IN_EXP) {
-                    exp_val = 10 * exp_val + dig;
+                    // don't overflow exp_val when adding next digit, instead just truncate
+                    // it and the resulting float will still be correct, either inf or 0.0
+                    // (use INT_MAX/2 to allow adding exp_extra at the end without overflow)
+                    if (exp_val < (INT_MAX / 2 - 9) / 10) {
+                        exp_val = 10 * exp_val + dig;
+                    }
                 } else {
                     if (dec_val < DEC_VAL_MAX) {
                         // dec_val won't overflow so keep accumulating
author	Jeff Epler <jepler@gmail.com>	2018-05-19 10:56:34 -0500
committer	Damien George <damien.p.george@gmail.com>	2018-05-21 12:37:57 +1000
commit	4f71a2a75a71b89dad2eed147d6e237b633b878e (patch)
tree	df59b91fe3299dbe213a9bdd31875ab790df55f1 /py/parsenum.c
parent	5efc575067df17be785d2b60124706d789d6cfe0 (diff)