[libxml2] Check for integer overflow in xmlXPathFormatNumber

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 7482f41f61d733656d588b4d8c300b1ecdff7f5f
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Jun 1 22:00:19 2017 +0200

    Check for integer overflow in xmlXPathFormatNumber
    
    Check for overflow before casting double to int.
    
    Found with afl-fuzz and UBSan.

 result/XPath/expr/floats  |    8 ++++++++
 result/XPath/expr/strings |    8 ++++++++
 test/XPath/expr/floats    |    2 ++
 test/XPath/expr/strings   |    2 ++
 xpath.c                   |    3 ++-
 5 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/result/XPath/expr/floats b/result/XPath/expr/floats
index b6255ce..157bd76 100644
--- a/result/XPath/expr/floats
+++ b/result/XPath/expr/floats
@@ -242,3 +242,11 @@ Object is a number : -1
 ========================
 Expression: 8 mod 3 = 2
 Object is a Boolean : true
+
+========================
+Expression: 12345678901234567890
+Object is a number : 1.23457e+19
+
+========================
+Expression: -12345678901234567890
+Object is a number : -1.23457e+19
diff --git a/result/XPath/expr/strings b/result/XPath/expr/strings
index fad7048..1ae5cc4 100644
--- a/result/XPath/expr/strings
+++ b/result/XPath/expr/strings
@@ -20,6 +20,14 @@ Expression: string(false())
 Object is a string : false
 
 ========================
+Expression: string(12345678901234567890)
+Object is a string : 1.23456789012346e+19
+
+========================
+Expression: string(-12345678901234567890)
+Object is a string : -1.23456789012346e+19
+
+========================
 Expression: concat("titi","toto")
 Object is a string : tititoto
 
diff --git a/test/XPath/expr/floats b/test/XPath/expr/floats
index 96c10d1..b447524 100644
--- a/test/XPath/expr/floats
+++ b/test/XPath/expr/floats
@@ -59,3 +59,5 @@ number('f') div 1
 -5 mod 2
 -5 mod -2
 8 mod 3 = 2
+12345678901234567890
+-12345678901234567890
diff --git a/test/XPath/expr/strings b/test/XPath/expr/strings
index 849ca14..ba02c79 100644
--- a/test/XPath/expr/strings
+++ b/test/XPath/expr/strings
@@ -3,6 +3,8 @@ string(0.5)
 string(-0.5)
 string(true())
 string(false())
+string(12345678901234567890)
+string(-12345678901234567890)
 concat("titi","toto")
 concat("titi","toto","tata")
 concat("titi",'toto')
diff --git a/xpath.c b/xpath.c
index a60a623..318b5b4 100644
--- a/xpath.c
+++ b/xpath.c
@@ -3106,7 +3106,8 @@ xmlXPathFormatNumber(double number, char buffer[], int buffersize)
                snprintf(buffer, buffersize, "NaN");
        } else if (number == 0 && xmlXPathGetSign(number) != 0) {
            snprintf(buffer, buffersize, "0");
-       } else if (number == ((int) number)) {
+       } else if ((number > INT_MIN) && (number < INT_MAX) &&
+                   (number == (int) number)) {
            char work[30];
            char *ptr, *cur;
            int value = (int) number;