Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

types: NewDecFromStr can return a Dec with too big decimal and panic #9160

Closed
4 tasks
cuonglm opened this issue Apr 21, 2021 · 0 comments · Fixed by #9157
Closed
4 tasks

types: NewDecFromStr can return a Dec with too big decimal and panic #9160

cuonglm opened this issue Apr 21, 2021 · 0 comments · Fixed by #9157
Labels
T: Security

Comments

@cuonglm
Copy link
Contributor

cuonglm commented Apr 21, 2021
edited by odeke-em
Loading

Summary of Bug

For very large decimal string input, types.NewDecFromStr does not validate the decimal size and return a valid Dec. Subsequent usages of this Dec methods can lead to panic.

Found by oss-fuzz: https://oss-fuzz.com/testcase-detail/6454129938530304 through continuous fuzzing

Version

045c45f

Steps to Reproduce

types.NewDecFromStr("88888888888888888888888888888888888888888888888888888888888888888888844444440")

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@cuonglm cuonglm mentioned this issue Apr 21, 2021
Merged
9 tasks
@odeke-em odeke-em changed the title types: NewDecFromStr can return a Dec with too big decimal types: NewDecFromStr can return a Dec with too big decimal and panic Apr 21, 2021
alessio pushed a commit that referenced this issue Apr 22, 2021
@cuonglm
types: make NewDecFromStr returns error for too large decimal (#9157)
e28271b 
Otherwise, NewDecFromStr may accept very large input, causing Dec
methods panic, e.g Dec.TruncateInt

Found by oss-fuzz: https://oss-fuzz.com/testcase-detail/6454129938530304

Fixes #9160
alessio pushed a commit that referenced this issue Apr 22, 2021
@cuonglm
backport: make NewDecFromStr returns error for too large decimal
4ca931d 
From: #9157
Closes: #9160
@alessio alessio mentioned this issue Apr 22, 2021
Merged
9 tasks
alessio pushed a commit that referenced this issue Apr 22, 2021
@cuonglm
backport: make NewDecFromStr returns error for too large decimal (#9175)
80a99b3 
From: #9157
Closes: #9160

Co-authored-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

types: make NewDecFromStr returns error for too large decimal
2 participants
@cuonglm @odeke-em