[libxml2] Check for overflow in xmlXPathIsPositionalPredicate

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Check for overflow in xmlXPathIsPositionalPredicate
Date: Thu, 1 Jun 2017 13:01:53 +0000 (UTC)

commit a58331a6ee4d4c161cebfa4e0d9a090945c6bf23
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon May 29 21:02:21 2017 +0200

    Check for overflow in xmlXPathIsPositionalPredicate
    
    Avoid undefined behavior when casting from double to int.
    
    Found with afl-fuzz and UBSan.

 result/XPath/tests/chaptersbase |   15 +++++++++++++++
 test/XPath/tests/chaptersbase   |    3 +++
 xpath.c                         |   14 ++++++++------
 3 files changed, 26 insertions(+), 6 deletions(-)
---
diff --git a/result/XPath/tests/chaptersbase b/result/XPath/tests/chaptersbase
index e023bf0..fd021d8 100644
--- a/result/XPath/tests/chaptersbase
+++ b/result/XPath/tests/chaptersbase
@@ -123,3 +123,18 @@ Set contains 5 nodes:
 3  ELEMENT p
 4  ELEMENT p
 5  ELEMENT p
+
+========================
+Expression: //p[0 div 0]
+Object is a Node Set :
+Set contains 0 nodes:
+
+========================
+Expression: //p[100000000000000000000]
+Object is a Node Set :
+Set contains 0 nodes:
+
+========================
+Expression: //p[-100000000000000000000]
+Object is a Node Set :
+Set contains 0 nodes:
diff --git a/test/XPath/tests/chaptersbase b/test/XPath/tests/chaptersbase
index 17638f7..f8fbe2a 100644
--- a/test/XPath/tests/chaptersbase
+++ b/test/XPath/tests/chaptersbase
@@ -8,3 +8,6 @@
 /descendant::title
 /descendant::p/ancestor::chapter
 //p[1]
+//p[0 div 0]
+//p[100000000000000000000]
+//p[-100000000000000000000]
diff --git a/xpath.c b/xpath.c
index d40bdda..82b0eea 100644
--- a/xpath.c
+++ b/xpath.c
@@ -17,6 +17,7 @@
 #define IN_LIBXML
 #include "libxml.h"
 
+#include <limits.h>
 #include <string.h>
 
 #ifdef HAVE_SYS_TYPES_H
@@ -12055,6 +12056,8 @@ xmlXPathIsPositionalPredicate(xmlXPathParserContextPtr ctxt,
        (exprOp->value4 != NULL) &&
        (((xmlXPathObjectPtr) exprOp->value4)->type == XPATH_NUMBER))
     {
+        double floatval = ((xmlXPathObjectPtr) exprOp->value4)->floatval;
+
        /*
        * We have a "[n]" predicate here.
        * TODO: Unfortunately this simplistic test here is not
@@ -12065,13 +12068,12 @@ xmlXPathIsPositionalPredicate(xmlXPathParserContextPtr ctxt,
        * like it "[position() < 5]", is also not detected.
        * Maybe we could rewrite the AST to ease the optimization.
        */
-       *maxPos = (int) ((xmlXPathObjectPtr) exprOp->value4)->floatval;
 
-       if (((xmlXPathObjectPtr) exprOp->value4)->floatval ==
-           (float) *maxPos)
-       {
-           return(1);
-       }
+        if ((floatval > INT_MIN) && (floatval < INT_MAX)) {
+           *maxPos = (int) floatval;
+            if (floatval == (double) *maxPos)
+                return(1);
+        }
     }
     return(0);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]