GNOME.org
 

[libxml2] Fix unsigned integer overflow in htmlParseTryOrFinish

commit 681f094e5bd1d0f6b38b27701d0d1bf1ca7a9a26
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Jun 15 15:23:05 2020 +0200

    Fix unsigned integer overflow in htmlParseTryOrFinish
    
    Cast to signed type before subtraction to avoid unsigned integer
    overflow. Also use ptrdiff_t to avoid potential integer truncation.
    
    Found with libFuzzer and UBSan.

 HTMLparser.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index be7e14f2..9ade6635 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -5339,7 +5339,7 @@ static int
 htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
     int ret = 0;
     htmlParserInputPtr in;
-    int avail = 0;
+    ptrdiff_t avail = 0;
     xmlChar cur, next;
 
     htmlParserNodeInfo node_info;
@@ -5404,7 +5404,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
        if (in->buf == NULL)
            avail = in->length - (in->cur - in->base);
        else
-           avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+           avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                    (in->cur - in->base);
        if ((avail == 0) && (terminate)) {
            htmlAutoCloseOnEnd(ctxt);
            if ((ctxt->nameNr == 0) && (ctxt->instate != XML_PARSER_EOF)) {
@@ -5440,7 +5441,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
                    if (in->buf == NULL)
                        avail = in->length - (in->cur - in->base);
                    else
-                       avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+                       avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                                (in->cur - in->base);
                }
                if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))
                    ctxt->sax->setDocumentLocator(ctxt->userData,
@@ -5482,7 +5484,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
                if (in->buf == NULL)
                    avail = in->length - (in->cur - in->base);
                else
-                   avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+                   avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
                /*
                 * no chars in buffer
                 */
@@ -5555,7 +5558,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
                if (in->buf == NULL)
                    avail = in->length - (in->cur - in->base);
                else
-                   avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+                   avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
                if (avail < 2)
                    goto done;
                cur = in->cur[0];
@@ -5596,7 +5600,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
                if (in->buf == NULL)
                    avail = in->length - (in->cur - in->base);
                else
-                   avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+                   avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
                if (avail < 1)
                    goto done;
                cur = in->cur[0];
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]