Merge pull request #567 from marioga/marioga_prevent_int_overflow

ultrajson · Oct 14, 2022 · 36ced86 · 36ced86
2 parents 7db453b + ec095e4
commit 36ced86
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/lib/ultrajsondec.c b/lib/ultrajsondec.c
@@ -79,7 +79,9 @@ static JSOBJ SetError( struct DecoderState *ds, int offset, const char *message)
 static FASTCALL_ATTR JSOBJ FASTCALL_MSVC decodeDouble(struct DecoderState *ds)
 {
   int processed_characters_count;
-  int len = (int)(ds->end - ds->start);
+  /* Prevent int overflow if ds->end - ds->start is too large. See check_decode_decimal_no_int_overflow()
+  inside tests/test_ujson.py for an example where this check is necessary. */
+  int len = ((size_t) (ds->end - ds->start) < (size_t) INT_MAX) ? (int) (ds->end - ds->start) : INT_MAX;
   double value = dconv_s2d(ds->dec->s2d, ds->start, len, &processed_characters_count);
   ds->lastType = JT_DOUBLE;
   ds->start += processed_characters_count;

diff --git a/tests/test_ujson.py b/tests/test_ujson.py
@@ -1124,6 +1124,19 @@ def test_separators_errors(separators, expected_exception):
         ujson.dumps({"a": 0, "b": 1}, separators=separators)
 
 
+"""
+The following checks are not part of the standard test suite.
+They can be run manually as follows:
+python -c 'from tests.test_ujson import check_foo; check_foo()'
+"""
+
+
+def check_decode_decimal_no_int_overflow():
+    # Requires enough free RAM to hold a ~4GB string in memory
+    decoded = ujson.decode(r'[0.123456789,"{}"]'.format("a" * (2**32 - 5)))
+    assert decoded[0] == 0.123456789
+
+
 """
 def test_decode_numeric_int_frc_overflow():
 input = "X.Y"