Fix oss-fuzz report triggered by GH-15712 commit. #15915
Conversation
It triggered allocation overflow which, even fixed, in turn gives memory leak on 32 bits but the allocator relies on signed integers so instead of changing `j` type we exit if an overflow during the buffer increase is going to happen.
|
Maybe we should constrain Lines 289 to 298 in c7397f5 I mean, even |
|
for sure, but I was thinking it s behavior change, precision never was limited and I am targeting a stable branch. Thought it was more appropriate for master. |
Oh, absolutely. :) |
There was a problem hiding this comment.
If the loop is terminated because j > (INT_MAX >> 1), isn't there the risk of a buffer overflow in the following? I think in this case we would need to bail out (exception or even a fatal error).
And if we bail out, we could also check whether i exceeds the threshold before even entering the loop.
And from there we can even move the check up the stack; likely zend_dtoa() should not accept very large ndigits.
Zend/zend_strtod.c
Outdated
| size_t j = sizeof(ULong); | ||
|
|
||
| j = sizeof(ULong); | ||
| if (i > (INT_MAX - rem)) |
There was a problem hiding this comment.
I think this line should be
| if (i > (INT_MAX - rem)) | |
| if (i > ((INT_MAX >> 2) + rem)) |
Then the other overflow check should be superfluous.
There was a problem hiding this comment.
Oh, and I think reverting the changes from #15715 could also be appropriate, since j should never exceed INT_MAX (actually, it must always be less than 0x40000000).
|
Oh, I've overlooked that the test leaks now. We could mark it as |
It triggered allocation overflow which, even fixed, in turn gives memory leak on 32 bits but the allocator relies on signed integers so instead of changing
jtype we exit if an overflow during the buffer increase is going to happen.