From 44e9118c023ae3697fc40276ab3a50b44477986c Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@webkit.org>
Date: Fri, 8 Apr 2022 12:33:17 -0700
Subject: [PATCH] Prevent integer-overflow in htmlSkipBlankChars() and
 xmlSkipBlankChars()

* HTMLparser.c:
(htmlSkipBlankChars):
* parser.c:
(xmlSkipBlankChars):
- Cap the return value at INT_MAX.
- The commit range that OSS-Fuzz listed for the fix didn't make
  any changes to xmlSkipBlankChars(), so it seems like this
  issue may still exist.

Found by OSS-Fuzz Issue 44803.
---
 HTMLparser.c | 3 ++-
 parser.c     | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index 9bd0fb34..9079fa8a 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -598,7 +598,8 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
 	    if (*ctxt->input->cur == 0)
 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 	}
-	res++;
+	if (res < INT_MAX)
+	    res++;
     }
     return(res);
 }
diff --git a/parser.c b/parser.c
index 230872f4..1bea54eb 100644
--- a/parser.c
+++ b/parser.c
@@ -2202,7 +2202,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
 		ctxt->input->col++;
 	    }
 	    cur++;
-	    res++;
+	    if (res < INT_MAX)
+		res++;
 	    if (*cur == 0) {
 		ctxt->input->cur = cur;
 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
@@ -2238,7 +2239,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
              * by the attachment of one leading and one following space (#x20)
              * character."
              */
-	    res++;
+	    if (res < INT_MAX)
+		res++;
         }
     }
     return(res);