Mirrors_Framework/mujs
1
0
Fork 0
mirror of https://github.com/ccxvii/mujs.git synced 2026-02-06 01:41:37 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 700938: Fix stack overflow in numtostr as used by Number#toFixed().

Browse Source 
32 is not enough to fit sprintf("%.20f", 1e20).
We need at least 43 bytes to fit that format.
Bump the static buffer size.
This commit is contained in:
Tor Andersson
2019-04-02 10:52:44 +02:00
parent 0c03f9c057
commit da632ca08f
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
jsnumber.c
View File

@@ -27,7 +27,7 @@ static void Np_valueOf(js_State *J)
static void Np_toString(js_State *J) static void Np_toString(js_State *J)
{ {
char buf[32]; char buf[100];
js_Object *self = js_toobject(J, 0); js_Object *self = js_toobject(J, 0);
int radix = js_isundefined(J, 1) ? 10 : js_tointeger(J, 1); int radix = js_isundefined(J, 1) ? 10 : js_tointeger(J, 1);
if (self->type != JS_CNUMBER) if (self->type != JS_CNUMBER)
@@ -42,7 +42,6 @@ static void Np_toString(js_State *J)
/* lame number to string conversion for any radix from 2 to 36 */ /* lame number to string conversion for any radix from 2 to 36 */
{ {
static const char digits[] = "0123456789abcdefghijklmnopqrstuvwxyz"; static const char digits[] = "0123456789abcdefghijklmnopqrstuvwxyz";
char buf[100];
double number = self->u.number; double number = self->u.number;
int sign = self->u.number < 0; int sign = self->u.number < 0;
js_Buffer *sb = NULL; js_Buffer *sb = NULL;
@@ -115,7 +114,8 @@ static void Np_toString(js_State *J)
/* Customized ToString() on a number */ /* Customized ToString() on a number */
static void numtostr(js_State *J, const char *fmt, int w, double n) static void numtostr(js_State *J, const char *fmt, int w, double n)
{ {
char buf[32], *e; /* buf needs to fit printf("%.20f", 1e20) */
char buf[50], *e;
sprintf(buf, fmt, w, n); sprintf(buf, fmt, w, n);
e = strchr(buf, 'e'); e = strchr(buf, 'e');
if (e) { if (e) {