Commit b9bdb9db authored by Nick Wellnhofer's avatar Nick Wellnhofer

Check for integer overflow in xmlXPtrEvalChildSeq

Found with libFuzzer and UBSan.
parent 236dd6ab
......@@ -1202,13 +1202,23 @@ xmlXPtrEvalChildSeq(xmlXPathParserContextPtr ctxt, xmlChar *name) {
}
while (CUR == '/') {
int child = 0;
int child = 0, overflow = 0;
NEXT;
while ((CUR >= '0') && (CUR <= '9')) {
child = child * 10 + (CUR - '0');
int d = CUR - '0';
if (child > INT_MAX / 10)
overflow = 1;
else
child *= 10;
if (child > INT_MAX - d)
overflow = 1;
else
child += d;
NEXT;
}
if (overflow)
child = 0;
xmlXPtrGetChildNo(ctxt, child);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment