Limit exponent range in number parsing.

Reported by XmiliaH.

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lj_strscan.c b/src/lj_strscan.c
index d18fab8c..947d9746 100644
--- a/src/lj_strscan.c
+++ b/src/lj_strscan.c
@@ -63,6 +63,7 @@
 #define STRSCAN_MAXDIG  800             /* 772 + extra are sufficient. */
 #define STRSCAN_DDIG    (STRSCAN_DIG/2)
 #define STRSCAN_DMASK   (STRSCAN_DDIG-1)
+#define STRSCAN_MAXEXP  (1 << 20)
 
 /* Helpers for circular buffer. */
 #define DNEXT(a)        (((a)+1) & STRSCAN_DMASK)
@@ -399,6 +400,7 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt)
       if (dig) {
         ex = (int32_t)(dp-(p-1)); dp = p-1;
         while (ex < 0 && *dp-- == '0') ex++, dig--;  /* Skip trailing zeros. */
+        if (ex <= -STRSCAN_MAXEXP) return STRSCAN_ERROR;
         if (base == 16) ex *= 4;
       }
     }
@@ -412,7 +414,8 @@ StrScanFmt lj_strscan_scan(const uint8_t *p, TValue *o, uint32_t opt)
       if (!lj_char_isdigit(*p)) return STRSCAN_ERROR;
       xx = (*p++ & 15);
       while (lj_char_isdigit(*p)) {
-        if (xx < 65536) xx = xx * 10 + (*p & 15);
+        xx = xx * 10 + (*p & 15);
+        if (xx >= STRSCAN_MAXEXP) return STRSCAN_ERROR;
         p++;
       }
       ex += negx ? -(int32_t)xx : (int32_t)xx;