Fix signed integer overflow UB in opt_tryParseDouble exponent parsing

syoyo · claude · syoyo · commit 1eac24333b7b · 2026-03-17T04:04:06.000+09:00
The exponent accumulation loop `exponent *= 10` could overflow int
for inputs like "1.0e9999999999", which is undefined behavior in C++.
Clamped to 0x7FFFFFF (~134M) before the multiply — values above 308
already exceed double range, so further digits are irrelevant.

Only affects TINYOBJLOADER_DISABLE_FAST_FLOAT builds (the hand-written
float parser fallback). Verified with UBSan fuzzing (15K iterations).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/tiny_obj_loader.h b/tiny_obj_loader.h
@@ -10159,8 +10159,12 @@ static bool opt_tryParseDouble(const char *s, const char *s_end,
     read = 0;
     end_not_reached = (curr != s_end);
     while (end_not_reached && TINYOBJ_OPT_IS_DIGIT(*curr)) {
-      exponent *= 10;
-      exponent += static_cast<int>(*curr - '0');
+      // Clamp to avoid signed integer overflow (UB).  |exponent| > 308
+      // already exceeds double range, so further digits are irrelevant.
+      if (exponent < 0x7FFFFFF) {
+        exponent *= 10;
+        exponent += static_cast<int>(*curr - '0');
+      }
       curr++;
       read++;
       end_not_reached = (curr != s_end);
