From db1cbb29f40b3d2e88fe33b503a9c33319f4a7dd Mon Sep 17 00:00:00 2001
Date: Fri, 13 Mar 2020 10:41:52 +0800
Subject: [PATCH] avoid triggering signed integer overflow

---
 src/html-url.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/html-url.c b/src/html-url.c
index 2f95357..409f2a0 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -596,7 +596,11 @@ tag_handle_meta (int tagid _GL_UNUSED, struct taginfo *tag, struct map_context *
         return;
 
       for (p = refresh; c_isdigit (*p); p++)
-        timeout = 10 * timeout + *p - '0';
+        {
+          if (timeout > INT_MAX >> 4 || *p - '0' > INT_MAX - 10 * timeout)
+            return;
+          timeout = 10 * timeout + *p - '0';
+        }
       if (*p++ != ';')
         return;
 
-- 
2.23.0