34 lines
925 B
Diff
34 lines
925 B
Diff
From 18425d3ad5a9bbe5c6e7fd4a9a45691e6c8862d1 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sun, 21 Jun 2020 19:14:23 +0200
|
|
Subject: [PATCH 060/139] Fix integer overflow in _xmlSchemaParseGYear
|
|
|
|
Found with libFuzzer and UBSan.
|
|
---
|
|
xmlschemastypes.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
|
|
index 35edfd6..164db94 100644
|
|
--- a/xmlschemastypes.c
|
|
+++ b/xmlschemastypes.c
|
|
@@ -1222,7 +1222,14 @@ _xmlSchemaParseGYear (xmlSchemaValDatePtr dt, const xmlChar **str) {
|
|
firstChar = cur;
|
|
|
|
while ((*cur >= '0') && (*cur <= '9')) {
|
|
- dt->year = dt->year * 10 + (*cur - '0');
|
|
+ int digit = *cur - '0';
|
|
+
|
|
+ if (dt->year > LONG_MAX / 10)
|
|
+ return 2;
|
|
+ dt->year *= 10;
|
|
+ if (dt->year > LONG_MAX - digit)
|
|
+ return 2;
|
|
+ dt->year += digit;
|
|
cur++;
|
|
digcnt++;
|
|
}
|
|
--
|
|
1.8.3.1
|
|
|