Skip to content

Commit df9ce19

Browse files
griesemerkatiehockman
authored andcommitted
[release-branch.go1.15] math/big: check for excessive exponents in Rat.SetString
Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284 Thanks to Emmanuel Odeke for reporting this issue. Updates #45910 Fixes #46305 Fixes CVE-2021-33198 Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c Reviewed-on: https://go-review.googlesource.com/c/go/+/316149 Trust: Robert Griesemer <[email protected]> Trust: Katie Hockman <[email protected]> Run-TryBot: Robert Griesemer <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Reviewed-by: Emmanuel Odeke <[email protected]> (cherry picked from commit 6c591f7) Reviewed-on: https://go-review.googlesource.com/c/go/+/321831 Run-TryBot: Katie Hockman <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
1 parent 3380b18 commit df9ce19

File tree

2 files changed

+33
-7
lines changed

2 files changed

+33
-7
lines changed

src/math/big/ratconv.go

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
5151
// An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
5252
// exponent may be provided as well, except for hexadecimal floats which
5353
// only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
54-
// be distinguished from a mantissa digit).
54+
// be distinguished from a mantissa digit). If the exponent's absolute value
55+
// is too large, the operation may fail.
5556
// The entire string, not just a prefix, must be valid for success. If the
5657
// operation failed, the value of z is undefined but the returned value is nil.
5758
func (z *Rat) SetString(s string) (*Rat, bool) {
@@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
169170
if n < 0 {
170171
n = -n
171172
}
173+
if n > 1e6 {
174+
return nil, false // avoid excessively large exponents
175+
}
172176
pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
173177
if exp5 > 0 {
174178
z.a.abs = z.a.abs.mul(z.a.abs, pow5)
@@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
181185
}
182186

183187
// apply exp2 contributions
188+
if exp2 < -1e7 || exp2 > 1e7 {
189+
return nil, false // avoid excessively large exponents
190+
}
184191
if exp2 > 0 {
185-
if int64(uint(exp2)) != exp2 {
186-
panic("exponent too large")
187-
}
188192
z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
189193
} else if exp2 < 0 {
190-
if int64(uint(-exp2)) != -exp2 {
191-
panic("exponent too large")
192-
}
193194
z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
194195
}
195196

src/math/big/ratconv_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) {
589589
}
590590
}
591591
}
592+
593+
func TestIssue45910(t *testing.T) {
594+
var x Rat
595+
for _, test := range []struct {
596+
input string
597+
want bool
598+
}{
599+
{"1e-1000001", false},
600+
{"1e-1000000", true},
601+
{"1e+1000000", true},
602+
{"1e+1000001", false},
603+
604+
{"0p1000000000000", true},
605+
{"1p-10000001", false},
606+
{"1p-10000000", true},
607+
{"1p+10000000", true},
608+
{"1p+10000001", false},
609+
{"1.770p02041010010011001001", false}, // test case from issue
610+
} {
611+
_, got := x.SetString(test.input)
612+
if got != test.want {
613+
t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
614+
}
615+
}
616+
}

0 commit comments

Comments
 (0)