Fix buffer overflow in string radix conversion (#4850)

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
2021-12-07 15:28:10 +01:00
parent 18dd9aa75a
commit 55acdf2048
3 changed files with 34 additions and 11 deletions
@@ -368,16 +368,6 @@ ecma_utf8_string_to_number (const lit_utf8_byte_t *str_p, /**< utf-8 string */

  bool sign = false;

-  if (*str_p == LIT_CHAR_PLUS)
-  {
-    str_p++;
-  }
-  else if (*str_p == LIT_CHAR_MINUS)
-  {
-    sign = true;
-    str_p++;
-  }
-
  if (str_p + 2 < end_p && str_p[0] == LIT_CHAR_0)
  {
    uint8_t radix = lit_char_to_radix (str_p[1]);
@@ -388,6 +378,16 @@ ecma_utf8_string_to_number (const lit_utf8_byte_t *str_p, /**< utf-8 string */
    }
  }

+  if (*str_p == LIT_CHAR_PLUS)
+  {
+    str_p++;
+  }
+  else if (*str_p == LIT_CHAR_MINUS)
+  {
+    sign = true;
+    str_p++;
+  }
+
  /* Check if string is equal to "Infinity". */
  const lit_utf8_byte_t *infinity_str_p = lit_get_magic_string_utf8 (LIT_MAGIC_STRING_INFINITY_UL);
  const lit_utf8_size_t infinity_length = lit_get_magic_string_size (LIT_MAGIC_STRING_INFINITY_UL);
@@ -659,7 +659,7 @@ ecma_number_parse_float (const lit_utf8_byte_t *str_p, /**< routine's first argu
  }

  /* 5. */
-  ecma_number_t ret_num = ecma_utf8_string_to_number (num_start_p, (lit_utf8_size_t) (num_end_p - num_start_p), 0);
+  ecma_number_t ret_num = ecma_utf8_string_to_number (num_start_p, num_size, 0);

  if (sign)
  {