From 0382b8a9754b4a9d8e4edffabf916f071b3806fc Mon Sep 17 00:00:00 2001
From: Joel Hockey <joel hockey gmail com>
Date: Wed, 3 Jan 2018 18:52:36 -0800
Subject: [PATCH] Check hex or decimal entity for overflow

---
 tree.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tree.c b/tree.c
index 959421bd..2089a932 100644
--- a/tree.c
+++ b/tree.c
@@ -1527,6 +1527,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			charval = 0;
 			break;
 		    }
+		    if (charval > 0x10FFFF) {
+			xmlTreeErr(XML_ERR_INVALID_CHAR, (xmlNodePtr) doc,
+			           NULL);
+			charval = 0;
+			break;
+		    }
 		    cur++;
 		    tmp = *cur;
 		}
@@ -1545,6 +1551,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			charval = 0;
 			break;
 		    }
+		    if (charval > 0x10FFFF) {
+			xmlTreeErr(XML_ERR_INVALID_CHAR, (xmlNodePtr) doc,
+			           NULL);
+			charval = 0;
+			break;
+		    }
 		    cur++;
 		    tmp = *cur;
 		}
-- 
2.16.0.rc0.223.g4a4ac83678-goog