From b9bdb9dbfda8f591f1797ad90f900bf44ad39d45 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 19 Mar 2019 17:44:51 +0100
Subject: [PATCH 13/37] Check for integer overflow in xmlXPtrEvalChildSeq

Found with libFuzzer and UBSan.
---
 xpointer.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xpointer.c b/xpointer.c
index 6a41f07..0467411 100644
--- a/xpointer.c
+++ b/xpointer.c
@@ -1202,13 +1202,23 @@ xmlXPtrEvalChildSeq(xmlXPathParserContextPtr ctxt, xmlChar *name) {
     }
 
     while (CUR == '/') {
-	int child = 0;
+	int child = 0, overflow = 0;
 	NEXT;
 
 	while ((CUR >= '0') && (CUR <= '9')) {
-	    child = child * 10 + (CUR - '0');
+            int d = CUR - '0';
+            if (child > INT_MAX / 10)
+                overflow = 1;
+            else
+                child *= 10;
+            if (child > INT_MAX - d)
+                overflow = 1;
+            else
+                child += d;
 	    NEXT;
 	}
+        if (overflow)
+            child = 0;
 	xmlXPtrGetChildNo(ctxt, child);
     }
 }
-- 
1.8.3.1