1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From: Marc Lehmann <schmorp@schmorp.de>
Date: Sat, 6 Sep 2025 11:31:36 +0200
Subject: fix json_atof_scan1 overflows
Origin: https://github.com/rurban/Cpanel-JSON-XS/commit/378236219eaa35742c3962ecbdee364903b0a1f2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40929
with fuzzed overlong numbers. CVE-2025-40928
Really the comparisons were wrong.
---
XS.xs | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/XS.xs b/XS.xs
index 9b1ce2bd5f28..2b9900f62285 100755
--- a/XS.xs
+++ b/XS.xs
@@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
/* if we recurse too deep, skip all remaining digits */
/* to avoid a stack overflow attack */
if (UNLIKELY(--maxdepth <= 0))
- while (((U8)*s - '0') < 10)
+ while (*s >= '0' && *s <= '9')
++s;
for (;;)
{
- U8 dig = (U8)*s - '0';
+ U8 dig = (U8)(*s - '0');
if (UNLIKELY(dig >= 10))
{
- if (dig == (U8)((U8)'.' - (U8)'0'))
+ if (dig == (U8)('.' - '0'))
{
++s;
json_atof_scan1 (s, accum, expo, 1, maxdepth);
@@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
else if (*s == '+')
++s;
- while ((dig = (U8)*s - '0') < 10)
+ while (*s >= '0' && *s <= '9')
exp2 = exp2 * 10 + *s++ - '0';
*expo += neg ? -exp2 : exp2;
--
2.51.0
|
