[libxml2] Check XPath exponents for overflow

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Check XPath exponents for overflow
Date: Thu, 1 Jun 2017 13:01:58 +0000 (UTC)

commit f4029cd413940677a310b48cd6cf6acf9cf33008
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Apr 21 16:37:26 2016 +0200

    Check XPath exponents for overflow
    
    Avoid undefined behavior and wrong results with huge exponents.
    
    Found with afl-fuzz and UBSan.

 result/XPath/expr/base |   32 ++++++++++++++++++++++++++++++++
 test/XPath/expr/base   |    8 ++++++++
 xpath.c                |    6 ++++--
 3 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/result/XPath/expr/base b/result/XPath/expr/base
index e2f6389..57c93cf 100644
--- a/result/XPath/expr/base
+++ b/result/XPath/expr/base
@@ -32,5 +32,37 @@ Expression: -0.000000000000000000000000000000000000000000000000001
 Object is a number : -1e-51
 
 ========================
+Expression: 1e2147483648
+Object is a number : Infinity
+
+========================
+Expression: 1e4294967296
+Object is a number : Infinity
+
+========================
+Expression: 1e9223372036854775808
+Object is a number : Infinity
+
+========================
+Expression: 1e18446744073709551616
+Object is a number : Infinity
+
+========================
+Expression: 1e-2147483649
+Object is a number : 0
+
+========================
+Expression: 1e-4294967296
+Object is a number : 0
+
+========================
+Expression: 1e-9223372036854775809
+Object is a number : 0
+
+========================
+Expression: 1e-18446744073709551616
+Object is a number : 0
+
+========================
 Expression: self::-name
 Object is empty (NULL)
diff --git a/test/XPath/expr/base b/test/XPath/expr/base
index 823f64b..cc18735 100644
--- a/test/XPath/expr/base
+++ b/test/XPath/expr/base
@@ -6,4 +6,12 @@
 1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1+1*1
 0.000000000000000000000000000000000000000000000000001
 -0.000000000000000000000000000000000000000000000000001
+1e2147483648
+1e4294967296
+1e9223372036854775808
+1e18446744073709551616
+1e-2147483649
+1e-4294967296
+1e-9223372036854775809
+1e-18446744073709551616
 self::-name
diff --git a/xpath.c b/xpath.c
index 82b0eea..a60a623 100644
--- a/xpath.c
+++ b/xpath.c
@@ -10151,7 +10151,8 @@ xmlXPathStringEvalNumber(const xmlChar *str) {
         cur++;
       }
       while ((*cur >= '0') && (*cur <= '9')) {
-       exponent = exponent * 10 + (*cur - '0');
+        if (exponent < 1000000)
+         exponent = exponent * 10 + (*cur - '0');
        cur++;
       }
     }
@@ -10245,7 +10246,8 @@ xmlXPathCompNumber(xmlXPathParserContextPtr ctxt)
            NEXT;
        }
         while ((CUR >= '0') && (CUR <= '9')) {
-            exponent = exponent * 10 + (CUR - '0');
+            if (exponent < 1000000)
+                exponent = exponent * 10 + (CUR - '0');
             NEXT;
         }
         if (is_exponent_negative)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]