diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h index 7441eda..f95aef4 100644 --- a/include/rapidjson/reader.h +++ b/include/rapidjson/reader.h @@ -1632,9 +1632,18 @@ private: if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { exp = static_cast(s.Take() - '0'); if (expMinus) { + // (exp + expFrac) must not underflow int => we're detecting when -exp gets + // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into + // underflow territory): + // + // -(exp * 10 + 9) + expFrac >= INT_MIN + // <=> exp <= (expFrac - INT_MIN - 9) / 10 + RAPIDJSON_ASSERT(expFrac <= 0); + int maxExp = (expFrac + 2147483639) / 10; + while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { exp = exp * 10 + static_cast(s.Take() - '0'); - if (exp >= 214748364) { // Issue #313: prevent overflow exponent + if (RAPIDJSON_UNLIKELY(exp > maxExp)) { while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent s.Take(); } diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp index e530801..c4800b9 100644 --- a/test/unittest/readertest.cpp +++ b/test/unittest/readertest.cpp @@ -242,6 +242,7 @@ static void TestParseDouble() { TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0); TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0); + TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0); TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form // Since