summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2023-04-10 21:54:07 +0200
committerNick Wellnhofer <wellnhofer@aevum.de>2023-04-10 21:54:07 +0200
commit677b2e8fe8187f3ba981dc97f65e75fec2dec62c (patch)
treed308fac2b32a41e0abd157c0d7c8c983ef0973df
parent075b6087785d7ba3dd6904f117ef9d0b9aa36a2b (diff)
downloadlibxslt-677b2e8fe8187f3ba981dc97f65e75fec2dec62c.tar.gz
numbers: Fix floating point overflow in xsltFormatNumberConversion
Found by OSS-Fuzz.
Diffstat
-rw-r--r--libxslt/numbers.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index e0ae6259..1764abba 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -965,6 +965,7 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
xmlChar *the_format, *prefix = NULL, *suffix = NULL;
xmlChar *nprefix, *nsuffix = NULL;
int prefix_length, suffix_length = 0, nprefix_length, nsuffix_length;
+ int exp10;
double scale;
int j, len = 0;
int self_grouping_len;
@@ -1303,7 +1304,18 @@ OUTPUT_NUMBER:
/* Round to n digits */
number = fabs(number);
- scale = pow(10.0, (double)(format_info.frac_digits + format_info.frac_hash));
+ exp10 = format_info.frac_digits + format_info.frac_hash;
+ /* DBL_MAX_10_EXP should be 308 on IEEE platforms. */
+ if (exp10 > DBL_MAX_10_EXP) {
+ if (format_info.frac_digits > DBL_MAX_10_EXP) {
+ format_info.frac_digits = DBL_MAX_10_EXP;
+ format_info.frac_hash = 0;
+ } else {
+ format_info.frac_hash = DBL_MAX_10_EXP - format_info.frac_digits;
+ }
+ exp10 = DBL_MAX_10_EXP;
+ }
+ scale = pow(10.0, (double) exp10);
number += .5 / scale;
number -= fmod(number, 1 / scale);
View Lorry Controller Status