[libxml2] Check for integer overflow in xmlXPtrEvalChildSeq
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Check for integer overflow in xmlXPtrEvalChildSeq
- Date: Fri, 29 Mar 2019 12:11:02 +0000 (UTC)
commit b9bdb9dbfda8f591f1797ad90f900bf44ad39d45
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Tue Mar 19 17:44:51 2019 +0100
Check for integer overflow in xmlXPtrEvalChildSeq
Found with libFuzzer and UBSan.
xpointer.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
---
diff --git a/xpointer.c b/xpointer.c
index 6a41f079..04674113 100644
--- a/xpointer.c
+++ b/xpointer.c
@@ -1202,13 +1202,23 @@ xmlXPtrEvalChildSeq(xmlXPathParserContextPtr ctxt, xmlChar *name) {
}
while (CUR == '/') {
- int child = 0;
+ int child = 0, overflow = 0;
NEXT;
while ((CUR >= '0') && (CUR <= '9')) {
- child = child * 10 + (CUR - '0');
+ int d = CUR - '0';
+ if (child > INT_MAX / 10)
+ overflow = 1;
+ else
+ child *= 10;
+ if (child > INT_MAX - d)
+ overflow = 1;
+ else
+ child += d;
NEXT;
}
+ if (overflow)
+ child = 0;
xmlXPtrGetChildNo(ctxt, child);
}
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
