pyrox.dev
1From 5592bfb58eb8d1c8a644e67c9bba795d1384a995 Mon Sep 17 00:00:00 2001
2From: Marc Lehmann <schmorp@schmorp.de>
3Date: Sat, 6 Sep 2025 11:31:36 +0200
4Subject: [PATCH 1/2] fix json_atof_scan1 overflows
5
6with fuzzed overlong numbers. CVE-2025-40928
7Really the comparisons were wrong.
8---
9 XS.xs | 8 ++++----
10 1 file changed, 4 insertions(+), 4 deletions(-)
11
12diff --git a/XS.xs b/XS.xs
13index 9b1ce2b..94ab0d6 100755
14--- a/XS.xs
15+++ b/XS.xs
16@@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
17 /* if we recurse too deep, skip all remaining digits */
18 /* to avoid a stack overflow attack */
19 if (UNLIKELY(--maxdepth <= 0))
20- while (((U8)*s - '0') < 10)
21+ while ((U8)(*s - '0') < 10)
22 ++s;
23
24 for (;;)
25 {
26- U8 dig = (U8)*s - '0';
27+ U8 dig = (U8)(*s - '0');
28
29 if (UNLIKELY(dig >= 10))
30 {
31- if (dig == (U8)((U8)'.' - (U8)'0'))
32+ if (dig == (U8)('.' - '0'))
33 {
34 ++s;
35 json_atof_scan1 (s, accum, expo, 1, maxdepth);
36@@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
37 else if (*s == '+')
38 ++s;
39
40- while ((dig = (U8)*s - '0') < 10)
41+ while ((dig = (U8)(*s - '0')) < 10)
42 exp2 = exp2 * 10 + *s++ - '0';
43
44 *expo += neg ? -exp2 : exp2;
45--
462.50.1
47