Bug 516396: Limit the input string for PR_strtod to at most 64 * 1024 NSPR_4_7_BRANCH NSPR_4_7_6_BETA1
authorwtc%google.com
Sat, 03 Oct 2009 02:42:16 +0000
branchNSPR_4_7_BRANCH
changeset 4162 ea08efa0779933bc97be73aab467c67f109ab909
parent 4161 05a434b202094eca97b5b189b1c45784c6c422ed
child 4166 29d0c65372a236e8f17a4ec6cd0ca618bfa339e2
push idunknown
push userunknown
push dateunknown
bugs516396
Bug 516396: Limit the input string for PR_strtod to at most 64 * 1024 characters long to prevent PR_strtod from taking too long. Tag: NSPR_4_7_BRANCH
pr/src/misc/prdtoa.c
--- a/pr/src/misc/prdtoa.c
+++ b/pr/src/misc/prdtoa.c
@@ -1754,16 +1754,18 @@ PR_strtod
 					e = -e;
 				}
 			else
 				e = 0;
 			}
 		else
 			s = s00;
 		}
+	if (nd > 64 * 1024)
+		goto ret0;
 	if (!nd) {
 		if (!nz && !nz0) {
 #ifdef INFNAN_CHECK
 			/* Check for Nan and Infinity */
 			switch(c) {
 			  case 'i':
 			  case 'I':
 				if (match(&s,"nf")) {
@@ -1784,16 +1786,17 @@ PR_strtod
 					if (*s == '(') /*)*/
 						hexnan(&rv, &s);
 #endif
 					goto ret;
 					}
 			  }
 #endif /* INFNAN_CHECK */
  ret0:
+			PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
 			s = s00;
 			sign = 0;
 			}
 		goto ret;
 		}
 	e1 = e -= nf;
 
 	/* Now we have nd0 digits, starting at s0, followed by a