jsoniter-scala icon indicating copy to clipboard operation
jsoniter-scala copied to clipboard

Published 20 hours ago verified publisher icon plokhotnyuk

Possible out of bound write serializing double

Open ctrychta opened this issue 1 year ago • 1 comments

I was porting your schubfach implementation (it's very nice by the way so thank you for that) and encountered a case where I was seeing a write past the end of the buffer.

I think an example case would be something like: Double.longBitsToDouble(-6634365113987401870L)

It appeared what was happening was the initial ensureCapacity(24) reserves all the space needed for the double representation, but when write3Digits runs to write the last 3 digits of a double that will take the full 24 bytes then it writes 4 bytes (even though only 3 are used) and the last byte could be past the end of the buffer. Of course, I may have missed something in the port, but I thought I would report it just in case.

ctrychta avatar Jun 28 '24 14:06 ctrychta

@ctrychta Thanks for reporting! Probably the bug exists in jsoniter-scala-core code for both JVM and Scala Native platforms. I'll try to reproduce it in unit tests.

plokhotnyuk avatar Jun 29 '24 04:06 plokhotnyuk

@ctrychta Thanks again! The bug was reproduced by unit tests after improving them to use buffers of different sizes.

Also, I cut v2.30.2 release with a fix.

plokhotnyuk avatar Jul 02 '24 09:07 plokhotnyuk