ref: da632ca08f240590d2dec786722ed08486ce1be6
parent: 0c03f9c05745d13fec4c9c6b2d947c5be8a8b4de
author: Tor Andersson <[email protected]>
date: Tue Apr 2 06:52:44 EDT 2019
Bug 700938: Fix stack overflow in numtostr as used by Number#toFixed(). 32 is not enough to fit sprintf("%.20f", 1e20). We need at least 43 bytes to fit that format. Bump the static buffer size.
--- a/jsnumber.c
+++ b/jsnumber.c
@@ -27,7 +27,7 @@
static void Np_toString(js_State *J)
{
- char buf[32];
+ char buf[100];
js_Object *self = js_toobject(J, 0);
int radix = js_isundefined(J, 1) ? 10 : js_tointeger(J, 1);
if (self->type != JS_CNUMBER)
@@ -42,7 +42,6 @@
/* lame number to string conversion for any radix from 2 to 36 */
{
static const char digits[] = "0123456789abcdefghijklmnopqrstuvwxyz";
- char buf[100];
double number = self->u.number;
int sign = self->u.number < 0;
js_Buffer *sb = NULL;
@@ -115,7 +114,8 @@
/* Customized ToString() on a number */
static void numtostr(js_State *J, const char *fmt, int w, double n)
{
- char buf[32], *e;
+ /* buf needs to fit printf("%.20f", 1e20) */
+ char buf[50], *e;
sprintf(buf, fmt, w, n);
e = strchr(buf, 'e');
if (e) {