mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-10-26 12:25:09 +03:00
Fix integer overflow in xmlFAParseQuantExact
Found by OSS-Fuzz.
This commit is contained in:
parent
84bab955fe
commit
1e7851b5ae
15
xmlregexp.c
15
xmlregexp.c
@ -5211,13 +5211,24 @@ static int
|
||||
xmlFAParseQuantExact(xmlRegParserCtxtPtr ctxt) {
|
||||
int ret = 0;
|
||||
int ok = 0;
|
||||
int overflow = 0;
|
||||
|
||||
while ((CUR >= '0') && (CUR <= '9')) {
|
||||
ret = ret * 10 + (CUR - '0');
|
||||
if (ret > INT_MAX / 10) {
|
||||
overflow = 1;
|
||||
} else {
|
||||
int digit = CUR - '0';
|
||||
|
||||
ret *= 10;
|
||||
if (ret > INT_MAX - digit)
|
||||
overflow = 1;
|
||||
else
|
||||
ret += digit;
|
||||
}
|
||||
ok = 1;
|
||||
NEXT;
|
||||
}
|
||||
if (ok != 1) {
|
||||
if ((ok != 1) || (overflow == 1)) {
|
||||
return(-1);
|
||||
}
|
||||
return(ret);
|
||||
|
Loading…
Reference in New Issue
Block a user