[libxml2] Integer overflow parsing port number in URI
- From: Daniel Veillard <veillard src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Integer overflow parsing port number in URI
- Date: Sat, 21 May 2016 09:18:41 +0000 (UTC)
commit 846cf015a77b9bca7b90c17c1f608ece3e268dad
Author: Michael Paddon <mwp chromium org>
Date: Sat May 21 17:16:05 2016 +0800
Integer overflow parsing port number in URI
For https://bugzilla.gnome.org/show_bug.cgi?id=765566
in xmlParse3986Port(), uri->port can overflow when parsing a the port number.
The type of uri->port is int, so the consequent behavior is undefined and
may differ between compilers and architectures
uri.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
---
diff --git a/uri.c b/uri.c
index ff47abb..2bd5720 100644
--- a/uri.c
+++ b/uri.c
@@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str)
* @uri: pointer to an URI structure
* @str: the string to analyze
*
- * Parse a port part and fills in the appropriate fields
+ * Parse a port part and fills in the appropriate fields
* of the @uri structure
*
* port = *DIGIT
@@ -325,15 +325,16 @@ static int
xmlParse3986Port(xmlURIPtr uri, const char **str)
{
const char *cur = *str;
+ unsigned port = 0; /* unsigned for defined overflow behavior */
if (ISA_DIGIT(cur)) {
- if (uri != NULL)
- uri->port = 0;
while (ISA_DIGIT(cur)) {
- if (uri != NULL)
- uri->port = uri->port * 10 + (*cur - '0');
+ port = port * 10 + (*cur - '0');
+
cur++;
}
+ if (uri != NULL)
+ uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
*str = cur;
return(0);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]