Headline
CVE-2021-33797: Issue #148: Check for overflow when reading floating point exponent. · ccxvii/mujs@833b6f1
Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to 1.1.1. An integer overflow happens when js_strtod() reads in floating point exponent, which leads to a buffer overflow in the pointer *d.
Permalink
Browse files
Issue #148: Check for overflow when reading floating point exponent.
GCC with -O2 optimizes away the if(exp<-maxExponent) branch completely, so we don’t end up with the expected ‘512’ value for overflowing exponents. Limit the exponent parsing to MAX_INT instead to prevent signed overflow from tripping up over-eager optimizing compilers.
- Loading branch information