Skip to content

Commit 5ccf645

Browse files
bblanchonbblanchon
committed
Fix buffer overrun in make_float()
Fixes #2220
1 parent ab8c9be commit 5ccf645

3 files changed

Lines changed: 40 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,13 @@ HEAD
3535
> + doc["strings"] = JsonString("hello\0world", 11)
3636
> ```
3737
38+
v7.4.3 (2026-03-02)
39+
------
40+
41+
* Fix a buffer overrun in `as<T>()` when `T` is a numeric type and
42+
the variant contains a string representing a floating point number
43+
with a large number of digits (issue #2220)
44+
3845
v7.4.2 (2025-06-20)
3946
------
4047

extras/tests/Numbers/parseDouble.cpp

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,4 +93,34 @@ TEST_CASE("parseNumber<double>()") {
9393
checkDoubleNaN("NaN");
9494
checkDoubleNaN("nan");
9595
}
96+
97+
SECTION("Overflow exponent with decimal part") { // Issue #2220
98+
checkDoubleNaN(
99+
"0.000000000000000000000000000000000000000000000000"
100+
"00000000000000000000000000000000000000000000000000"
101+
"00000000000000000000000000000000000000000000000000"
102+
"00000000000000000000000000000000000000000000000000"
103+
"00000000000000000000000000000000000000000000000000"
104+
"00000000000000000000000000000000000000000000000000"
105+
"00000000000000000000000000000000000000000000000000"
106+
"00000000000000000000000000000000000000000000000000"
107+
"00000000000000000000000000000000000000000000000000"
108+
"00000000000000000000000000000000000000000000000000"
109+
"00000000000000000000000000000000000000000000000001");
110+
}
111+
112+
SECTION("Overflow exponent with integral part") {
113+
checkDoubleNaN(
114+
"10000000000000000000000000000000000000000000000000"
115+
"00000000000000000000000000000000000000000000000000"
116+
"00000000000000000000000000000000000000000000000000"
117+
"00000000000000000000000000000000000000000000000000"
118+
"00000000000000000000000000000000000000000000000000"
119+
"00000000000000000000000000000000000000000000000000"
120+
"00000000000000000000000000000000000000000000000000"
121+
"00000000000000000000000000000000000000000000000000"
122+
"00000000000000000000000000000000000000000000000000"
123+
"00000000000000000000000000000000000000000000000000"
124+
"00000000000000000000000000000000000000000000000000");
125+
}
96126
}

src/ArduinoJson/Numbers/FloatTraits.hpp

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,10 +198,13 @@ inline TFloat make_float(TFloat m, TExponent e) {
198198

199199
auto powersOfTen = e > 0 ? traits::positiveBinaryPowersOfTen()
200200
: traits::negativeBinaryPowersOfTen();
201+
201202
if (e <= 0)
202203
e = TExponent(-e);
203204

204205
for (uint8_t index = 0; e != 0; index++) {
206+
if (index >= powersOfTen.size())
207+
return traits::nan();
205208
if (e & 1)
206209
m *= powersOfTen[index];
207210
e >>= 1;

0 commit comments

Comments
 (0)