[libxml2/2.9] Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 8756b95d85d024adba9e69c705f597165486b75e
Author: David Kilzer <ddkilzer webkit org>
Date:   Fri Apr 8 12:33:17 2022 -0700

    Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()
    
    * HTMLparser.c:
    (htmlSkipBlankChars):
    * parser.c:
    (xmlSkipBlankChars):
    - Cap the return value at INT_MAX.
    - The commit range that OSS-Fuzz listed for the fix didn't make
      any changes to xmlSkipBlankChars(), so it seems like this
      issue may still exist.
    
    Found by OSS-Fuzz Issue 44803.

 HTMLparser.c | 3 ++-
 parser.c     | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)
---
diff --git a/HTMLparser.c b/HTMLparser.c
index 3e8a1657..e235f57b 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -614,7 +614,8 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
            if (*ctxt->input->cur == 0)
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
        }
-       res++;
+       if (res < INT_MAX)
+           res++;
     }
     return(res);
 }
diff --git a/parser.c b/parser.c
index 8ca9b2dd..16a5cf69 100644
--- a/parser.c
+++ b/parser.c
@@ -2208,7 +2208,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
                ctxt->input->col++;
            }
            cur++;
-           res++;
+           if (res < INT_MAX)
+               res++;
            if (*cur == 0) {
                ctxt->input->cur = cur;
                xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
@@ -2244,7 +2245,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
              * by the attachment of one leading and one following space (#x20)
              * character."
              */
-           res++;
+           if (res < INT_MAX)
+               res++;
         }
     }
     return(res);