From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Sun, 26 Dec 2021 19:56:58 +0000 (+0000)
Subject: [Minor] Fix another overflow
X-Git-Tag: 3.2~139
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f91baff1833441f3d86b63dd282364857eceeda8;p=thirdparty%2Frspamd.git

[Minor] Fix another overflow
---

diff --git a/src/libserver/css/css_tokeniser.cxx b/src/libserver/css/css_tokeniser.cxx
index dc570d64b9..e44c14011d 100644
--- a/src/libserver/css/css_tokeniser.cxx
+++ b/src/libserver/css/css_tokeniser.cxx
@@ -20,6 +20,7 @@
 #include "frozen/unordered_map.h"
 #include "frozen/string.h"
 #include <string>
+#include <cmath>
 
 namespace rspamd::css {
 
@@ -29,8 +30,8 @@ namespace rspamd::css {
  * This helper is intended to create tokens either with a tag and value
  * or with just a tag.
  */
-template<css_parser_token::token_type T, typename ...Args>
-auto make_token(const Args&... args) -> css_parser_token;
+template<css_parser_token::token_type T, class Arg>
+auto make_token(const Arg &arg) -> css_parser_token;
 
 template<>
 auto make_token<css_parser_token::token_type::string_token, std::string_view>(const std::string_view &s)
@@ -76,7 +77,7 @@ auto make_token<css_parser_token::token_type::delim_token, char>(const char &c)
 
 template<>
 auto make_token<css_parser_token::token_type::number_token, float>(const float &d)
--> css_parser_token
+	-> css_parser_token
 {
 	return css_parser_token{css_parser_token::token_type::number_token, d};
 }
@@ -360,51 +361,52 @@ auto css_tokeniser::consume_number() -> struct css_parser_token
 	}
 
 	if (i > offset) {
-		float num;
-
 		/* I wish it was supported properly */
 		//auto conv_res = std::from_chars(&input[offset], &input[i], num);
 		char numbuf[128], *endptr = NULL;
 		rspamd_strlcpy(numbuf, &input[offset], MIN(i - offset + 1, sizeof(numbuf)));
-		num = g_ascii_strtod(numbuf, &endptr);
+		auto num = g_ascii_strtod(numbuf, &endptr);
+		offset = i;
 
-		if (endptr && *endptr != '\0') {
+		if ((endptr && *endptr != '\0') || num >= G_MAXFLOAT || num <= G_MINFLOAT || isnan(num)) {
 			msg_debug_css("invalid number: %s", numbuf);
+			return make_token<css_parser_token::token_type::delim_token>(input[i - 1]);
 		}
-		offset = i;
+		else {
 
-		auto ret = make_token<css_parser_token::token_type::number_token>(num);
+			auto ret = make_token<css_parser_token::token_type::number_token>(static_cast<float>(num));
 
-		if (i < input.size()) {
-			if (input[i] == '%') {
-				ret.flags |= css_parser_token::number_percent;
-				i ++;
+			if (i < input.size()) {
+				if (input[i] == '%') {
+					ret.flags |= css_parser_token::number_percent;
+					i++;
 
-				offset = i;
-			}
-			else if (is_plain_ident_start(input[i])) {
-				auto dim_token = consume_ident();
-
-				if (dim_token.type == css_parser_token::token_type::ident_token) {
-					if (!ret.adjust_dim(dim_token)) {
-						auto sv = std::get<std::string_view>(dim_token.value);
-						msg_debug_css("cannot apply dimension from the token %*s; number value = %.1f",
-								(int)sv.size(), sv.begin(), num);
-						/* Unconsume ident */
-						offset = i;
+					offset = i;
+				}
+				else if (is_plain_ident_start(input[i])) {
+					auto dim_token = consume_ident();
+
+					if (dim_token.type == css_parser_token::token_type::ident_token) {
+						if (!ret.adjust_dim(dim_token)) {
+							auto sv = std::get<std::string_view>(dim_token.value);
+							msg_debug_css("cannot apply dimension from the token %*s; number value = %.1f",
+									(int) sv.size(), sv.begin(), num);
+							/* Unconsume ident */
+							offset = i;
+						}
+					}
+					else {
+						/* We have no option but to uncosume ident token in this case */
+						msg_debug_css("got invalid ident like token after number, unconsume it");
 					}
 				}
 				else {
-					/* We have no option but to uncosume ident token in this case */
-					msg_debug_css("got invalid ident like token after number, unconsume it");
+					/* Plain number, nothing to do */
 				}
 			}
-			else {
-				/* Plain number, nothing to do */
-			}
-		}
 
-		return ret;
+			return ret;
+		}
 	}
 	else {
 		msg_err_css("internal error: invalid number, empty token");