[libxml2] Fix integer overflow in htmlParseCharRef

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix integer overflow in htmlParseCharRef
Date: Tue, 16 Jun 2020 17:48:27 +0000 (UTC)

commit 31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Jun 15 18:47:53 2020 +0200

    Fix integer overflow in htmlParseCharRef
    
    Fixes #115.

 HTMLparser.c | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index 5dd62df1..be7e14f2 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -3400,13 +3400,16 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
         ((NXT(2) == 'x') || NXT(2) == 'X')) {
        SKIP(3);
        while (CUR != ';') {
-           if ((CUR >= '0') && (CUR <= '9'))
-               val = val * 16 + (CUR - '0');
-           else if ((CUR >= 'a') && (CUR <= 'f'))
-               val = val * 16 + (CUR - 'a') + 10;
-           else if ((CUR >= 'A') && (CUR <= 'F'))
-               val = val * 16 + (CUR - 'A') + 10;
-           else {
+           if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+                   val = val * 16 + (CUR - '0');
+            } else if ((CUR >= 'a') && (CUR <= 'f')) {
+                if (val < 0x110000)
+                   val = val * 16 + (CUR - 'a') + 10;
+            } else if ((CUR >= 'A') && (CUR <= 'F')) {
+                if (val < 0x110000)
+                   val = val * 16 + (CUR - 'A') + 10;
+            } else {
                htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF,
                             "htmlParseCharRef: missing semicolon\n",
                             NULL, NULL);
@@ -3419,9 +3422,10 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
     } else if  ((CUR == '&') && (NXT(1) == '#')) {
        SKIP(2);
        while (CUR != ';') {
-           if ((CUR >= '0') && (CUR <= '9'))
-               val = val * 10 + (CUR - '0');
-           else {
+           if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+                   val = val * 10 + (CUR - '0');
+            } else {
                htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF,
                             "htmlParseCharRef: missing semicolon\n",
                             NULL, NULL);
@@ -3440,6 +3444,9 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
      */
     if (IS_CHAR(val)) {
         return(val);
+    } else if (val >= 0x110000) {
+       htmlParseErr(ctxt, XML_ERR_INVALID_CHAR,
+                    "htmlParseCharRef: value too large\n", NULL, NULL);
     } else {
        htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
                        "htmlParseCharRef: invalid xmlChar value %d\n",

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]