deny scientific notation exponents below -99

1e999 and 1e-999 were able to cause hangs as we use arbitrary precision numbers rather than floating point. this may change in the future (see sass/sass#2892)
connorskees · Aug 20, 2020 · c19eda6 · c19eda6
1 parent 921b6e4
commit c19eda6
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/parse/value/parse.rs b/src/parse/value/parse.rs
@@ -407,6 +407,12 @@ impl<'a> Parser<'a> {
                         return Err(
                             ("Expected digit.", self.toks.peek().unwrap_or(&tok).pos).into()
                         );
+                    } else if times_ten.len() > 2 {
+                        return Err((
+                            "Exponent too negative.",
+                            self.toks.peek().unwrap_or(&tok).pos,
+                        )
+                            .into());
                     }
                 } else if matches!(tok.kind, '0'..='9') {
                     self.toks.next();

diff --git a/tests/number.rs b/tests/number.rs
@@ -154,3 +154,13 @@ test!(
     "a {\n  color: 999999999999999999 * 10;\n}\n",
     "a {\n  color: 9999999999999999990;\n}\n"
 );
+// we use arbitrary precision, so it is necessary to limit the size of exponents
+// in order to prevent hangs
+error!(
+    scientific_notation_too_positive,
+    "a {\n  color: 1e100;\n}\n", "Error: Exponent too large."
+);
+error!(
+    scientific_notation_too_negative,
+    "a {\n  color: 1e-100;\n}\n", "Error: Exponent too negative."
+);