[libxml2] Integer overflow parsing port number in URI

[Daniel Veillard <veillard src gnome org>]

commit 846cf015a77b9bca7b90c17c1f608ece3e268dad
Author: Michael Paddon <mwp chromium org>
Date:   Sat May 21 17:16:05 2016 +0800

    Integer overflow parsing port number in URI
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=765566
    
    in xmlParse3986Port(), uri->port can overflow when parsing a the port number.
    The type of uri->port is int, so the consequent behavior is undefined and
    may differ between compilers and architectures

 uri.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)
---
diff --git a/uri.c b/uri.c
index ff47abb..2bd5720 100644
--- a/uri.c
+++ b/uri.c
@@ -314,7 +314,7 @@ xmlParse3986Query(xmlURIPtr uri, const char **str)
  * @uri:  pointer to an URI structure
  * @str:  the string to analyze
  *
- * Parse a port  part and fills in the appropriate fields
+ * Parse a port part and fills in the appropriate fields
  * of the @uri structure
  *
  * port          = *DIGIT
@@ -325,15 +325,16 @@ static int
 xmlParse3986Port(xmlURIPtr uri, const char **str)
 {
     const char *cur = *str;
+    unsigned port = 0; /* unsigned for defined overflow behavior */
 
     if (ISA_DIGIT(cur)) {
-       if (uri != NULL)
-           uri->port = 0;
        while (ISA_DIGIT(cur)) {
-           if (uri != NULL)
-               uri->port = uri->port * 10 + (*cur - '0');
+           port = port * 10 + (*cur - '0');
+
            cur++;
        }
+       if (uri != NULL)
+           uri->port = port & INT_MAX; /* port value modulo INT_MAX+1 */
        *str = cur;
        return(0);
     }