Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion In Pow10.h is triggered in Document::Parse #313

Closed
dkw72n opened this issue Apr 24, 2015 · 4 comments
Closed

Assertion In Pow10.h is triggered in Document::Parse #313

dkw72n opened this issue Apr 24, 2015 · 4 comments
Labels
bug

Comments

@dkw72n
Copy link

dkw72n commented Apr 24, 2015

here is the code that triggered the assertion

#include "rapidjson/document.h"
int main()
{
    const char * json = "{\"asd\":[1e-00011111111111]}";
    rapidjson::Document d;
    d.Parse(json);
    return 0;
}

output:

[root@localhost build]# g++ a.cpp && ./a.out
a.out: ../include/rapidjson/internal/pow10.h:46: double rapidjson::internal::Pow10(int): Assertion `n >= 0 && n <= 308' failed.
已放弃

This happened because integer overflowed while parsing the exponent.
In rapidjson/include/rapidjson/reader.h:926

            if (s.Peek() >= '0' && s.Peek() <= '9') {
                exp = s.Take() - '0';
                while (s.Peek() >= '0' && s.Peek() <= '9') {
                    exp = exp * 10 + (s.Take() - '0');  // <-- Probably Overflow Here !!!
                    if (exp > 308 && !expMinus) // exp > 308 should be rare, so it should be checked first.
                        RAPIDJSON_PARSE_ERROR(kParseErrorNumberTooBig, s.Tell());
                }
            }
            else
                RAPIDJSON_PARSE_ERROR(kParseErrorNumberMissExponent, s.Tell());
@miloyip miloyip added the bug label Apr 24, 2015
@miloyip
Copy link
Collaborator

miloyip commented Apr 24, 2015

This is a bug. It is very important because it reads out-of-bound memory. I have done a quick fix in 93d13ad.

During the fix, I also find that some numbers with different form will generate a parse error:

"1.7976931348623157e+308"   -> kParseErrorNone
"0.017976931348623157e+310" -> kParseErrorNumberTooBig

I have also push a commit to solve this second problem.

Besides, I also notify that there will be still some artifical cases with incorrect kParseErrorNumberTooBig, such as the integer part >= 1.7976931348623157 x 10^307 but the exponent is negative to make the actual value within possible double range. However, I think this false alarm is unimportant.

@miloyip miloyip mentioned this issue Apr 24, 2015
Closed
@dkw72n
Copy link
Author

dkw72n commented Apr 24, 2015

Hi miloyip, thanks for responding so quickly.
I review you commit, and am afraid the bug still exists.
Try this input: 1e-429496728999

miloyip added a commit that referenced this issue Apr 24, 2015
@miloyip
Try to fix #313 again
7708215
@miloyip
Copy link
Collaborator

miloyip commented Apr 24, 2015

My bad... I forgot exp is signed integer. The new 7708215 should be conservative.

@dkw72n
Copy link
Author

dkw72n commented Apr 24, 2015

Thanks again, I think this time it is really fixed.

I should mention that this bug was initially triggered by a fuzzer called "american fuzzy lop", which is written by a google staff: http://lcamtuf.coredump.cx/afl/

miloyip added a commit that referenced this issue Apr 25, 2015
@miloyip
Merge pull request #314 from miloyip/issue313_exponentoverflow
d38558f 
Fix #313 Assertion In `Pow10.h` is triggered in Document::Parse
bkandasa pushed a commit to mysql/mysql-server that referenced this issue Aug 4, 2015
@kahatlen @dahlerlend
Bug#21384048: ASSERTION FAILED: N >= 0 && N <= 308 IN
fe6eb98 
              RAPIDJSON::INTERNAL::FASTPATH

An assertion was hit in rapidjson when parsing a JSON text that
contained a floating point number with a large, negative exponent.

The bug is fixed upstream in this bug report:
Tencent/rapidjson#313

This patch applies the upstream fix to
extra/rapidjson/include/rapidjson/reader.h.

(cherry picked from commit 9392c553a046a6feb053dbd62649e33db8b41c2b)
bjornmu pushed a commit to mysql/mysql-server that referenced this issue Oct 21, 2015
@kahatlen
Bug#21384048: ASSERTION FAILED: N >= 0 && N <= 308 IN
099caf8 
              RAPIDJSON::INTERNAL::FASTPATH

An assertion was hit in rapidjson when parsing a JSON text that
contained a floating point number with a large, negative exponent.

The bug is fixed upstream in this bug report:
Tencent/rapidjson#313

This patch applies the upstream fix to
extra/rapidjson/include/rapidjson/reader.h.
kamil-holubicki pushed a commit to kamil-holubicki/percona-xtradb-cluster that referenced this issue Jun 2, 2023
@kahatlen
Bug#21384048: ASSERTION FAILED: N >= 0 && N <= 308 IN
77b5937 
              RAPIDJSON::INTERNAL::FASTPATH

An assertion was hit in rapidjson when parsing a JSON text that
contained a floating point number with a large, negative exponent.

The bug is fixed upstream in this bug report:
Tencent/rapidjson#313

This patch applies the upstream fix to
extra/rapidjson/include/rapidjson/reader.h.
kamil-holubicki pushed a commit to kamil-holubicki/percona-xtradb-cluster that referenced this issue Jun 2, 2023
@kahatlen @dahlerlend
Bug#21384048: ASSERTION FAILED: N >= 0 && N <= 308 IN
efc230a 
              RAPIDJSON::INTERNAL::FASTPATH

An assertion was hit in rapidjson when parsing a JSON text that
contained a floating point number with a large, negative exponent.

The bug is fixed upstream in this bug report:
Tencent/rapidjson#313

This patch applies the upstream fix to
extra/rapidjson/include/rapidjson/reader.h.

(cherry picked from commit 9392c553a046a6feb053dbd62649e33db8b41c2b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miloyip @dkw72n