44 lines
1.1 KiB
Diff
44 lines
1.1 KiB
Diff
From b9bdb9dbfda8f591f1797ad90f900bf44ad39d45 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Tue, 19 Mar 2019 17:44:51 +0100
|
|
Subject: [PATCH 13/37] Check for integer overflow in xmlXPtrEvalChildSeq
|
|
|
|
Found with libFuzzer and UBSan.
|
|
---
|
|
xpointer.c | 14 ++++++++++++--
|
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/xpointer.c b/xpointer.c
|
|
index 6a41f07..0467411 100644
|
|
--- a/xpointer.c
|
|
+++ b/xpointer.c
|
|
@@ -1202,13 +1202,23 @@ xmlXPtrEvalChildSeq(xmlXPathParserContextPtr ctxt, xmlChar *name) {
|
|
}
|
|
|
|
while (CUR == '/') {
|
|
- int child = 0;
|
|
+ int child = 0, overflow = 0;
|
|
NEXT;
|
|
|
|
while ((CUR >= '0') && (CUR <= '9')) {
|
|
- child = child * 10 + (CUR - '0');
|
|
+ int d = CUR - '0';
|
|
+ if (child > INT_MAX / 10)
|
|
+ overflow = 1;
|
|
+ else
|
|
+ child *= 10;
|
|
+ if (child > INT_MAX - d)
|
|
+ overflow = 1;
|
|
+ else
|
|
+ child += d;
|
|
NEXT;
|
|
}
|
|
+ if (overflow)
|
|
+ child = 0;
|
|
xmlXPtrGetChildNo(ctxt, child);
|
|
}
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|