Fix integer overflow when parsing {min,max}Occurs

Clamp value to INT_MAX. Found with libFuzzer and UBSan.
2025-01-27 14:03:36 +03:00 · 2020-06-21 16:26:38 +02:00 · 2020-06-21 16:26:38 +02:00 · 070d635e77
commit 070d635e77
parent 50f18830e1
1 changed files with 20 additions and 2 deletions
--- a/xmlschemas.c
+++ b/xmlschemas.c
@ -6074,7 +6074,16 @@ xmlGetMaxOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node,
 	return (def);
    }
    while ((*cur >= '0') && (*cur <= '9')) {
-        ret = ret * 10 + (*cur - '0');
+        if (ret > INT_MAX / 10) {
+            ret = INT_MAX;
+        } else {
+            int digit = *cur - '0';
+            ret *= 10;
+            if (ret > INT_MAX - digit)
+                ret = INT_MAX;
+            else
+                ret += digit;
+        }
        cur++;
    }
    while (IS_BLANK_CH(*cur))
@ -6126,7 +6135,16 @@ xmlGetMinOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node,
        return (def);
    }
    while ((*cur >= '0') && (*cur <= '9')) {
-        ret = ret * 10 + (*cur - '0');
+        if (ret > INT_MAX / 10) {
+            ret = INT_MAX;
+        } else {
+            int digit = *cur - '0';
+            ret *= 10;
+            if (ret > INT_MAX - digit)
+                ret = INT_MAX;
+            else
+                ret += digit;
+        }
        cur++;
    }
    while (IS_BLANK_CH(*cur))