From d25b8c6c8d45c58097dbf68aa96b506a6e2c40f4 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 2 Mar 2021 12:45:43 +0100
Subject: [PATCH] Fix xsl:number generating invalid UTF-8

xsl:number with an empty grouping separator would generate 0xFF bytes.

Found by OSS-Fuzz.
---
 libxslt/preproc.c        |  2 ++
 tests/REC/Makefile.am    |  1 +
 tests/REC/test-7.7-6.out | 11 +++++++++++
 tests/REC/test-7.7-6.xml |  1 +
 tests/REC/test-7.7-6.xsl | 36 ++++++++++++++++++++++++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100644 tests/REC/test-7.7-6.out
 create mode 100644 tests/REC/test-7.7-6.xml
 create mode 100644 tests/REC/test-7.7-6.xsl

diff --git a/libxslt/preproc.c b/libxslt/preproc.c
index bd654daf..7d2fa221 100644
--- a/libxslt/preproc.c
+++ b/libxslt/preproc.c
@@ -1494,6 +1494,8 @@ xsltNumberComp(xsltStylesheetPtr style, xmlNodePtr cur) {
         comp->numdata.groupingCharacterLen = xmlStrlen(prop);
 	comp->numdata.groupingCharacter =
 	    xsltGetUTF8Char(prop, &(comp->numdata.groupingCharacterLen));
+        if (comp->numdata.groupingCharacter < 0)
+            comp->numdata.groupingCharacter = 0;
     }
 
     prop = xsltGetCNsProp(style, cur, (const xmlChar *)"grouping-size", XSLT_NAMESPACE);
diff --git a/tests/REC/Makefile.am b/tests/REC/Makefile.am
index 8b185fc0..b0d943f2 100644
--- a/tests/REC/Makefile.am
+++ b/tests/REC/Makefile.am
@@ -74,6 +74,7 @@ EXTRA_DIST = 						\
     test-7.7-3.out test-7.7-3.xml test-7.7-3.xsl	\
     test-7.7-4.out test-7.7-4.xml test-7.7-4.xsl	\
     test-7.7-5.out test-7.7-5.xml test-7.7-5.xsl	\
+    test-7.7-6.out test-7.7-6.xml test-7.7-6.xsl	\
     test-8-1.out test-8-1.xml test-8-1.xsl		\
     test-9.1-1.out test-9.1-1.xml test-9.1-1.xsl	\
     test-9.1-2.out test-9.1-2.xml test-9.1-2.xsl	\
diff --git a/tests/REC/test-7.7-6.out b/tests/REC/test-7.7-6.out
new file mode 100644
index 00000000..66b3cd5f
--- /dev/null
+++ b/tests/REC/test-7.7-6.out
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<results>
+  <r>1.234.567.890</r>
+  <r>1’234’567’890</r>
+  <r>1.2.3.4.5.6.7.8.9.0</r>
+  <r>1234567890</r>
+  <r>1234567890</r>
+  <r>1234567890</r>
+  <r>1234567890</r>
+  <r>1234567890</r>
+</results>
diff --git a/tests/REC/test-7.7-6.xml b/tests/REC/test-7.7-6.xml
new file mode 100644
index 00000000..69d62f2c
--- /dev/null
+++ b/tests/REC/test-7.7-6.xml
@@ -0,0 +1 @@
+<doc/>
diff --git a/tests/REC/test-7.7-6.xsl b/tests/REC/test-7.7-6.xsl
new file mode 100644
index 00000000..6449dc1c
--- /dev/null
+++ b/tests/REC/test-7.7-6.xsl
@@ -0,0 +1,36 @@
+<xsl:stylesheet
+  version="1.0"
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:output indent="yes"/>
+
+<xsl:template match="/">
+  <results>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="3"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="’" grouping-size="3"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="1"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="0"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="-1"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="99"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="." grouping-size="abc"/>
+    </r>
+    <r>
+      <xsl:number value="1234567890" grouping-separator="" grouping-size="3"/>
+    </r>
+  </results>
+</xsl:template>
+
+</xsl:stylesheet>