lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-08-07 06:43:02 +03:00
Code Activity

Fix integer overflow in xmlFAParseQuantExact

Browse Source 
Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer
2020-06-25 12:17:50 +02:00
parent 84bab955fe
commit 1e7851b5ae
1 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
xmlregexp.c
View File

@@ -5211,13 +5211,24 @@ static int
xmlFAParseQuantExact(xmlRegParserCtxtPtr ctxt) { xmlFAParseQuantExact(xmlRegParserCtxtPtr ctxt) {
int ret = 0; int ret = 0;
int ok = 0; int ok = 0;
int overflow = 0;
while ((CUR >= '0') && (CUR <= '9')) { while ((CUR >= '0') && (CUR <= '9')) {
ret = ret * 10 + (CUR - '0'); if (ret > INT_MAX / 10) {
overflow = 1;
} else {
int digit = CUR - '0';
ret *= 10;
if (ret > INT_MAX - digit)
overflow = 1;
else
ret += digit;
}
ok = 1; ok = 1;
NEXT; NEXT;
} }
if (ok != 1) { if ((ok != 1) || (overflow == 1)) {
return(-1); return(-1);
} }
return(ret); return(ret);