From df9ce19db6df32d94eae8760927bdfbc595433c3 Mon Sep 17 00:00:00 2001 From: Robert Griesemer Date: Sun, 2 May 2021 11:27:03 -0700 Subject: [release-branch.go1.15] math/big: check for excessive exponents in Rat.SetString Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284 Thanks to Emmanuel Odeke for reporting this issue. Updates #45910 Fixes #46305 Fixes CVE-2021-33198 Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c Reviewed-on: https://go-review.googlesource.com/c/go/+/316149 Trust: Robert Griesemer Trust: Katie Hockman Run-TryBot: Robert Griesemer TryBot-Result: Go Bot Reviewed-by: Katie Hockman Reviewed-by: Emmanuel Odeke (cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0) Reviewed-on: https://go-review.googlesource.com/c/go/+/321831 Run-TryBot: Katie Hockman Reviewed-by: Roland Shoemaker --- src/math/big/ratconv.go | 15 ++++++++------- src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go index 941139e72d..ac3c8bd11f 100644 --- a/src/math/big/ratconv.go +++ b/src/math/big/ratconv.go @@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error { // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants) // exponent may be provided as well, except for hexadecimal floats which // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot -// be distinguished from a mantissa digit). +// be distinguished from a mantissa digit). If the exponent's absolute value +// is too large, the operation may fail. // The entire string, not just a prefix, must be valid for success. If the // operation failed, the value of z is undefined but the returned value is nil. func (z *Rat) SetString(s string) (*Rat, bool) { @@ -169,6 +170,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) { if n < 0 { n = -n } + if n > 1e6 { + return nil, false // avoid excessively large exponents + } pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs if exp5 > 0 { z.a.abs = z.a.abs.mul(z.a.abs, pow5) @@ -181,15 +185,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) { } // apply exp2 contributions + if exp2 < -1e7 || exp2 > 1e7 { + return nil, false // avoid excessively large exponents + } if exp2 > 0 { - if int64(uint(exp2)) != exp2 { - panic("exponent too large") - } z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2)) } else if exp2 < 0 { - if int64(uint(-exp2)) != -exp2 { - panic("exponent too large") - } z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2)) } diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go index ba0d1ba9e1..15d206cb38 100644 --- a/src/math/big/ratconv_test.go +++ b/src/math/big/ratconv_test.go @@ -589,3 +589,28 @@ func TestIssue31184(t *testing.T) { } } } + +func TestIssue45910(t *testing.T) { + var x Rat + for _, test := range []struct { + input string + want bool + }{ + {"1e-1000001", false}, + {"1e-1000000", true}, + {"1e+1000000", true}, + {"1e+1000001", false}, + + {"0p1000000000000", true}, + {"1p-10000001", false}, + {"1p-10000000", true}, + {"1p+10000000", true}, + {"1p+10000001", false}, + {"1.770p02041010010011001001", false}, // test case from issue + } { + _, got := x.SetString(test.input) + if got != test.want { + t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want) + } + } +} -- cgit v1.2.3-54-g00ecf