Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
index 145858b75f..3d6c34a552 100644
--- a/tests/template_tests/filter_tests/test_floatformat.py
+++ b/tests/template_tests/filter_tests/test_floatformat.py
@@ -73,6 +73,7 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(1.5e-15, 20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.5e-15, -20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.00000000000000015, 16), "1.0000000000000002")
+        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
 
     def test_invalid_inputs(self):
         cases = [
@@ -169,6 +170,22 @@ class FunctionTests(SimpleTestCase):
         self.assertEqual(floatformat(pos_inf), "inf")
         self.assertEqual(floatformat(neg_inf), "-inf")
         self.assertEqual(floatformat(pos_inf / pos_inf), "nan")
+        self.assertEqual(floatformat("inf"), "inf")
+        self.assertEqual(floatformat("NaN"), "NaN")
+
+    def test_too_many_digits_to_render(self):
+        cases = [
+            "1e200",
+            "1E200",
+            "1E10000000000000000",
+            "-1E10000000000000000",
+            "1e10000000000000000",
+            "-1e10000000000000000",
+            "1" + "0" * 1_000_000,
+        ]
+        for value in cases:
+            with self.subTest(value=value):
+                self.assertEqual(floatformat(value), value)
 
     def test_float_dunder_method(self):
         class FloatWrapper: