[libxml2] Fix integer overflow in _xmlSchemaParseGYear

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix integer overflow in _xmlSchemaParseGYear
Date: Tue, 23 Jun 2020 14:32:33 +0000 (UTC)

commit 18425d3ad5a9bbe5c6e7fd4a9a45691e6c8862d1
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sun Jun 21 19:14:23 2020 +0200

    Fix integer overflow in _xmlSchemaParseGYear
    
    Found with libFuzzer and UBSan.

 xmlschemastypes.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
---
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 35edfd6f..164db94b 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -1222,7 +1222,14 @@ _xmlSchemaParseGYear (xmlSchemaValDatePtr dt, const xmlChar **str) {
     firstChar = cur;
 
     while ((*cur >= '0') && (*cur <= '9')) {
-       dt->year = dt->year * 10 + (*cur - '0');
+        int digit = *cur - '0';
+
+        if (dt->year > LONG_MAX / 10)
+            return 2;
+       dt->year *= 10;
+        if (dt->year > LONG_MAX - digit)
+            return 2;
+        dt->year += digit;
        cur++;
        digcnt++;
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]