Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix buffer overread when parsing a UTF16 exponent
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 9e61c90be48664843144ba1f07933735a70a6bf5
User & Date: peterreid 2013-10-25 02:37:10.823
Context
2013-10-25
20:20
Add start of checkpointing code to btree. check-in: 29373a8844 user: dan tags: trunk
02:37
Fix buffer overread when parsing a UTF16 exponent check-in: 9e61c90be4 user: peterreid tags: trunk
01:33
Fix parsing UTF16 nums with multi-digit exponents check-in: 667cfd8694 user: peterreid tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/math.c.
299
300
301
302
303
304
305
306


307
308
309
310
311
312
313
/*
** Convert text into a number and return that number.
**
** When converting from UTF16, this routine only looks at the
** least significant byte of each character.  It is assumed that
** the most significant byte of every character in the string
** is 0.  If that assumption is violated, then this routine can
** yield an anomolous result.


**
** Conversion stops at the first \000 character.  At most nIn bytes
** of zIn are examined.  Or if nIn is negative, up to a billion bytes
** are scanned, which we assume is more than will be found in any valid
** numeric string.
**
** If the value does not contain a decimal point or exponent, and is







|
>
>







299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
/*
** Convert text into a number and return that number.
**
** When converting from UTF16, this routine only looks at the
** least significant byte of each character.  It is assumed that
** the most significant byte of every character in the string
** is 0.  If that assumption is violated, then this routine can
** yield an anomalous result.  If the most significant byte of
** the final character is beyond the nIn examined bytes, then 
** it is treated as 0.
**
** Conversion stops at the first \000 character.  At most nIn bytes
** of zIn are examined.  Or if nIn is negative, up to a billion bytes
** are scanned, which we assume is more than will be found in any valid
** numeric string.
**
** If the value does not contain a decimal point or exponent, and is
418
419
420
421
422
423
424


425
426
427
428
429
430
431
432
433
        /* Permit only a single radix in each number */
        if( seenRadix ) goto finished;
        seenRadix = 1;
        bReal = 1;
      }else if( c=='e' || c=='E' ){
        int f = (flags & (SQLITE4_PREFIX_ONLY|SQLITE4_IGNORE_WHITESPACE));
        if( incr==2 ) f |= SQLITE4_UTF16LE; 


        sqlite4_num exp;
        exp = sqlite4_num_from_text(&zIn[i+incr], nIn-i-incr, f, 0);
        if( sqlite4_num_isnan(exp) ) goto finished;
        if( exp.e || exp.m>999 ) goto finished;
        bReal = 1;
        r.e += (int)(exp.m) * (exp.sign ? -1 : 1);
        i = nIn;
        break;
      }else{







>
>

|







420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
        /* Permit only a single radix in each number */
        if( seenRadix ) goto finished;
        seenRadix = 1;
        bReal = 1;
      }else if( c=='e' || c=='E' ){
        int f = (flags & (SQLITE4_PREFIX_ONLY|SQLITE4_IGNORE_WHITESPACE));
        if( incr==2 ) f |= SQLITE4_UTF16LE; 
        i += incr;
        if( i>=nIn ) goto finished;
        sqlite4_num exp;
        exp = sqlite4_num_from_text(&zIn[i], nIn-i, f, 0);
        if( sqlite4_num_isnan(exp) ) goto finished;
        if( exp.e || exp.m>999 ) goto finished;
        bReal = 1;
        r.e += (int)(exp.m) * (exp.sign ? -1 : 1);
        i = nIn;
        break;
      }else{
Changes to test/num.test.
223
224
225
226
227
228
229




230
231
232
233
234
235
236
237
238
239
240
241




242
243
244
245
246
247
248
249
250

#-------------------------------------------------------------------------
# Test from UTF16BE text
#
foreach {tn in len out} {
  0     274    -1   274
  1     3e+484 -1   3e+484




} {
  do_test num-9.3.$tn { 
    sqlite4_num_to_text [sqlite4_num_from_text $in $len b]
  } $out
} 

#-------------------------------------------------------------------------
# Test from UTF16LE text
#
foreach {tn in len out} {
  0     4639   -1    4639
  1     5e+388 -1    5e+388 




} {
  do_test num-9.3.$tn { 
    sqlite4_num_to_text [sqlite4_num_from_text $in $len l]
  } $out
} 

foreach {tn in out} {
  0     50                                            50
  1     -94                                           -94







>
>
>
>












>
>
>
>

|







223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

#-------------------------------------------------------------------------
# Test from UTF16BE text
#
foreach {tn in len out} {
  0     274    -1   274
  1     3e+484 -1   3e+484
  2     2e1    3     2 
  3     2e1    4     2 
  4     2e1    5     2
  5     2e1    6     20 
} {
  do_test num-9.3.$tn { 
    sqlite4_num_to_text [sqlite4_num_from_text $in $len b]
  } $out
} 

#-------------------------------------------------------------------------
# Test from UTF16LE text
#
foreach {tn in len out} {
  0     4639   -1    4639
  1     5e+388 -1    5e+388 
  2     2e1    3     2 
  3     2e1    4     2 
  4     2e1    5     20
  5     2e1    6     20 
} {
  do_test num-9.4.$tn { 
    sqlite4_num_to_text [sqlite4_num_from_text $in $len l]
  } $out
} 

foreach {tn in out} {
  0     50                                            50
  1     -94                                           -94