shithub: libmujs

Download patch

ref: da632ca08f240590d2dec786722ed08486ce1be6
parent: 0c03f9c05745d13fec4c9c6b2d947c5be8a8b4de
author: Tor Andersson <[email protected]>
date: Tue Apr 2 06:52:44 EDT 2019

Bug 700938: Fix stack overflow in numtostr as used by Number#toFixed().

32 is not enough to fit sprintf("%.20f", 1e20).
We need at least 43 bytes to fit that format.
Bump the static buffer size.

--- a/jsnumber.c
+++ b/jsnumber.c
@@ -27,7 +27,7 @@
 
 static void Np_toString(js_State *J)
 {
-	char buf[32];
+	char buf[100];
 	js_Object *self = js_toobject(J, 0);
 	int radix = js_isundefined(J, 1) ? 10 : js_tointeger(J, 1);
 	if (self->type != JS_CNUMBER)
@@ -42,7 +42,6 @@
 	/* lame number to string conversion for any radix from 2 to 36 */
 	{
 		static const char digits[] = "0123456789abcdefghijklmnopqrstuvwxyz";
-		char buf[100];
 		double number = self->u.number;
 		int sign = self->u.number < 0;
 		js_Buffer *sb = NULL;
@@ -115,7 +114,8 @@
 /* Customized ToString() on a number */
 static void numtostr(js_State *J, const char *fmt, int w, double n)
 {
-	char buf[32], *e;
+	/* buf needs to fit printf("%.20f", 1e20) */
+	char buf[50], *e;
 	sprintf(buf, fmt, w, n);
 	e = strchr(buf, 'e');
 	if (e) {